A common question we hear all the time is, “Do you handle our audits?” While it might seem like a simple yes or no question, there’s more to it. The following FAQ explores the topic of audits and how we help with audits in your medical practice.

The word “audit” is used broadly throughout the healthcare industry to reference a wide array of tasks, which can often cause confusion, especially as it relates to health information management (HIM). Due to the gray area that exists, it’s important to understand your organizational and external vendor classifications of what an audit is so that you’re aligned on what auditing activities can be performed internally and what to expect from your industry partners.

As HIM experts, ScanSTAT provides the following guidance on what we consider an audit when it comes to medical record requests, ensuring the security of protected health information (PHI) and HIPAA compliance. We want to provide recommendations for what “auditing” activities should be handled internally at your practice as well as provide clarification on where ScanSTAT runs into audits in our health information management world and how we interpret the word and fulfill our service commitments.


Payers are often asking you for charts and have historically used the word “audit” when making these requests. Typically, payers will send over chart pull requests with the label “chart review,” “chart audit,” “patient pull list” and the like. The payer needs the charts in order to audit a provider, practice or diagnosis code, and while this task may have been called an “audit,” your HIM department is not responsible for actually auditing the content in the chart.

Our Release of Information (ROI) service provides charts to payers, but it does not include the clinical expertise to determine medical necessity or provide an in-depth review of the actual content within a patient’s chart. Like your HIM staff, our ROI team is not trained for coding, billing or using a clinical eye to review charts. Fortunately, we do have a separate group at ScanSTAT that has experience in a clinical setting to provide this type of chart review/audit, and we can perform those services under a separate agreement.


Regarding CERT reviews for the Centers of Medicare & Medicaid Services, it’s recommended that you keep these activities within your billing office rather than utilizing HIM staff that may not have the right clinical experience. These requests are typically completed by a certified professional coder or business office internal expert. Because this type of request is asking for proof of medical necessity of a coding charge, it is not considered a typical insurance payer review request and requires closer attention.  After all, your reimbursement money is on the line!


ScanSTAT staff adheres to strict internal auditing processes as part of our standard operating procedures to ensure accuracy and consistency in our work. At times, we may use the word “audit” to describe this internal process, because we are, in fact, auditing the work of our staff against our service agreement and policies.


In addition to the other references to audits, there is also a meaning involving security. When it comes to security, ScanSTAT can help ensure that your PHI is safe and that your organization appropriately assesses risks and creates mitigation plans. We’ll help you remain in compliance with annual HIPAA, Meaningful Use and Merit-Based Incentive Payment System regulations by auditing your current Security Risk Analysis to provide corrective recommendations or conducting the full Security Risk Analysis for your organization.


Organizations are increasingly investing time and resources on internal audit processes for HIPAA compliance to minimize risk and cost of breach and noncompliance.[1] The Office for Civil Rights released criteria in June 2012 that its auditors use to validate compliance with HIPAA. This protocol outlined four procedures that organizations should follow in a HIPAA audit program to ensure compliance.

  • Determine the activities that will be tracked or audited
  • Select the tools that will be deployed and system activity reviews
  • Develop and deploy the information system activity review/audit policy
  • Develop appropriate standard operating procedures[2]


If your organization is having challenges with the release of information requests, security procedures or HIPAA compliance, ScanSTAT is here to help! To learn more about ScanSTAT and how our team of health information management experts can help your organization streamline office workflows and reduce risk of liability, contact us today.

[1] https://www.healthmgttech.com/auditing-hipaa-compliance

[2] http://bok.ahima.org/doc?oid=300276#.Wg3likqnG70