SpeechPathology.com Phone: 800-242-5183

Progressus Therapy

Healthcare Documentation, Coding and HIPAA Requirements: An SLP's Guide

Healthcare Documentation, Coding and HIPAA Requirements: An SLP's Guide
Melissa Collier, MS, CCC-SLP, CHC, CDP
October 10, 2022

To earn CEUs for this article, become a member.

unlimited ceu access $129/year

Join Now

Editor's Note: This text is a transcript of the course, Healthcare Documentation, Coding and HIPAA Requirements: An SLP's Guide, presented by Melissa Collier, MS, CCC-SLP, CHC, CDP

Learning Outcomes

After this course, participants will be able to: 

  • Identify five elements of healthcare documentation
  • Describe the components of an ICD-10 code
  • Define HIPAA and describe how it relates to healthcare documentation

Healthcare Documentation

Role of a Health Record

Why do we have medical records? (I will be using the words medical record and health record interchangeably)? It does many things, from a payment perspective, a patient-specific perspective, and an operations perspective. First, it provides a record of the patient's health status, including everything from observations to assessments, a history and physical, and ultimately serves as a legally binding document that describes overall the healthcare services that were provided to the patient.

The medical record provides evidence of the quality of care. That term is used a lot in healthcare right now.  It describes the services that were provided. It provides evidence that the care was medically necessary. It documents how the patient responded to that care and whether or not that healthcare provider made a change based on the patient's response. Additionally, it identifies the standards by which that care was delivered and documents that we adhered to the company standards and procedures when providing a service.

More than that, the health record provides a method of communication. For those of us who have been in healthcare for a while, we know that many people read our documentation. Likewise, we read a lot of healthcare records throughout a patient's plan of care, including at the very beginning of the evaluative process.

Moreover, the medical record protects against liability issues, which we will discuss later. It demonstrates compliance with state and federal regulations. There are many different rules and regulations on how a health record should be kept, how long it should be kept, what it should look like, and what should be in a health record.

The health record establishes adherence to standards of practice and supports payment for services.  There are a lot of entities requesting your records to see what you do as an SLP before paying you for those services. The health record can also be a data source for public health reasons. It serves as an opportunity for research and serves as the legal record for a healthcare organization.

Healthcare Documentation Requirements  

What are the requirements? As I mentioned, many entities have rules, regulations, and requirements. Those can differ depending on who's paying for the healthcare service. 

There are several that SLPs deal with, and the first one is Medicare Part A. Medicare Part A covers inpatient services in inpatient care settings. Those are settings such as a hospital, a skilled stay in a skilled nursing facility, hospice care, and home health.

Medicare Part B, on the other hand, covers outpatient services which are covered on a fee-per-service basis, meaning they will pay a contracted, set amount per service provided in settings such as skilled nursing facilities, private practices, outpatient settings, and university clinics.

Medicare Advantage plans, on the other hand, are those privately managed plans that are required to cover, at minimum, what Medicare covers.  And therapy coverage varies per plan. Therefore, if you have a patient who has a Medicare Advantage plan (sometimes called a Managed Care Plan), it's important that you understand and know the terms of what that plan will cover.

Medicaid is another payer we often work with and is a state-based program. Beneficiaries include low-income individuals, children in certain circumstances, pregnant women, and any elderly or disabled who meet the requirements for income.

Private health plans also pay for healthcare services and can become very complicated.  Private health plans cover beneficiaries through either an employer-based plan or an individual policy either purchased through an exchange or purchased privately. Those plans vary significantly and some examples are Aetna, United Health Care, Blue Cross Blue Shield, etc.  Their documentation requirements are very specific to their health plan.

Guidelines for Defining the Health Record for Legal Purposes

What are the guidelines that a health record typically follows for legal purposes? Understanding the guidelines is important because we live in a world that has become increasingly litigious. We hear stories all the time of healthcare workers, nurses, doctors, and therapists who are sued or audited. Therefore, as practitioners, we need to know what a healthcare record should look like for legal reasons.

The American Health Information Management Association (AHIMA) has set forth guidelines for defining the healthcare record for legal purposes. That association is very involved in documentation and is a great resource. If you want to learn more about the specifics of health information, technology, and medical records systems, then they're a great one to research. The AHIMA breaks down the health record into four categories to provide guidelines for healthcare practitioners and organizations to define what is part of the legal record. If an attorney asks you for a patient's legal record from an outpatient setting, you will know what to include.

Category I: Legal Health Record. The first category AHIMA defines is the legal health record.  That is ultimately the legal business record generated for a patient at a healthcare organization level. That record is the one that would be released upon request with patient consent. That legal health record documents the healthcare services that were provided to the individual by the healthcare provider or organization. It will include records of care in any health-related setting. So any observations, assessments, instructions, and patient-specific data are included. 

Documentation found in a legal health record includes: 

  • Records of history and physical examination - The patient's primary care physician or attending physician would complete these.
  • Multidisciplinary progress notes/documentation - Progress notes related to other services such as nursing, respiratory care, etc.
  • Immunization record
  • Diagnosis list - This includes active and resolved diagnoses.
  • Medication profile / Physician Orders and Renewals - What medications are they currently taking? What's the dosage? What's the name of the medication? What did the physician order for the patient? Labs, X-rays, medications, rehab?
  • Consent for treatment forms
  • Consultation reports
  • Telephone orders
  • Advanced Directives
  • Physical therapy, Speech therapy, and Occupational therapy records - Oftentimes, large hospital systems will have that intra-communication system, and that is technically defined by AHIMA as part of the legal record.
  • Email containing patient-provider or provider-provider communication
  • Intake/output records - 
  • Nursing and other discipline assessments/notes
  • Care plan - This is the plan of care for how we will take care of this patient. 
  • Minimum data sets - Used in SNFs, this document looks back at all of the patient's diagnoses, needs, and services provided; and payment is generated from that comprehensive document.
  • Practice guidelines or protocols/clinical pathways that embed patient data
  • Discharge instructions, plan of care, etc

Category II: Patient-Identifiable Source Data. The most applicable part for us is that these are still part of the legal health record. They're often maintained in a separate location but with the same level of confidentiality. We usually have to make a request to retrieve those. Increasingly, they are captured in multimedia forms, and PDF is the most common. So, the patient's identifiable source date would be sent with the healthcare record if it was subpoenaed. Diagnostic films, x-rays, MRIs, swallow studies, MBSS, and FEES would fall into this category.

Category III: Administrative Data. This is patient-identifiable data that are used for administrative, regulatory, and payment purposes. It is still considered confidential information, but it is not considered a part of the legal health record. If an attorney or a payor requests the legal health record from you, you don't have to release any of the following:

  • Authorization forms for release of information
  • Correspondence concerning requests for records
  • Audit history/paperwork related to ADRs, denials, etc.
  • Protocols/clinical pathways, practice guidelines, and other knowledge sources that do not embed patient data
  • Patient-identifiable claim or bill for services
  • Patient-identifiable data reviewed for quality assurance or utilization management
  • Death certificates
  • Patient identifiers (e.g., medical record number, biometrics)

Category IV: Derived data. Ultimately this is aggregate data, which is a lot of data combined from multiple patient records so that individual patients can not be identified. Again, we still afford those with the same level of confidentiality, but you would not include that aggregate data with your health record. Sometimes hospital systems will combine a lot of data to make best practice guidelines, make protocol decisions, or do research, but there's no patient-identifiable information in that data.  And, again, this data would not be sent in with the legal record.

The Push to EHR

If you started out in the healthcare setting a while ago, often we were documenting on paper. It was very labor intensive, and many things got lost. In the last 20 years, there's been a push to transition from paper to the electronic health record (EHR) system.  President Obama started the conversation in 2009, and six years later, the Office of National Coordinator for Health Information Technology (HIT), which governs medical records, set forth a goal to achieve interoperability among electronic health records to improve patient health by 2024. Meaning, the EHRs could talk to each other. Unfortunately, in 2020, the Centers for Disease Control indicated that 80% of physicians in an office don't use an electronic health record yet. So, I don't think we will reach our goal of 2024, but we have seen that most hospitals and clinics are using some form of electronic medical record system.


There is a difference between an electronic medical record (EMR) and an electronic health record (EHR).  An electronic medical record is a digital version of a paper chart that allows us to track data, enter evaluations and progress notes, and ensure that the medical history is safeguarded. Most software systems, of course, are encrypted for safety reasons. They easily monitor and improve the overall quality of care. This is an easy way to track patient information. The problem with an electronic medical record is that it doesn't travel easily outside of its own system. Often, if another entity requests a patient's EMR, we have to print them and send them by mail, or digitally, via PDF after we've saved them as a digital file. Most of the therapy platforms that we utilize are considered electronic medical records.

Electronic health records have the same benefits but are designed to reach beyond just one health organization. They're ultimately built to share essential information seamlessly with other healthcare providers along the continuum of care. It contains all the information from all the clinicians. Not just across the continuum of care, but the patients themselves are also able to access their records. If you are in a pediatric clinic, can you imagine having access to all of the child's records from the physician or the post-acute clinicians? Can you imagine having immediate access to a modified barium swallow study that was done in the hospital?

Healthcare Record Retention

How long should healthcare records be kept? Each state has a unique record retention law, so the duration varies. It varies by setting and by type of record. If you are an owner of a clinic, work in a clinic, or have your own LLC, you need to research your state law and see what the requirement is there.

Federal laws also have regulations governing medical record retention. For example, Medicare CMS requires Medicare beneficiary records to be retained for at least five years.  Medicaid for low-income individuals or disabled individuals varies from state to state. Moreover, you also have to understand that the record retention can also be dictated by the payer, and the plan themselves. There may have federal laws, state laws, and some requirements for the entity that's paying for your services. So, you have to be sure that all three of those things are clear. When in doubt, go with the longer period of time. For example, if your plan says seven years and the state says five years, go with seven years to be on the safe side. 

ICD-10 and CPT Codes

Next, I want to discuss ICD-10 and CPT codes, and how they relate to SLPs in the medical setting. ICD-10 stands for the 10th revision of the International Statistical Classification of Diseases and related health problems, which is the "ICD" part.  It's ultimately a medical classification list governed by the World Health Organization, and it contains all of the diagnosis codes for diseases, signs and symptoms of those diseases, any abnormal findings, and complaints.

ICD-10 also includes codes for social circumstances and external causes of injury or diseases. ICD-10 is used for diagnosis purposes, and the government uses ICD-10 codes to track diseases or illnesses. The most applicable ones, currently, are the COVID-19 diagnoses which were added in 2020.  Those ICD-10 codes are used to track the prevalence of COVID-19.

It is becoming increasingly important, as we move toward electronic health records, that a patient's diagnoses follow him or her; which makes sense. If I'm an SLP in post-acute care, I should know what the hospital diagnosed them with. I should know what their history of active diagnoses is.

ICD-10 Coding

How do you know which ICD-10 code to use? The most accurate coding comes from the ICD-10 manual. Some apps are available to help with ICD-10 coding so that you don't have to do it manually. One app, ICD-10 Consult, I use quite a bit. ICD-10 2022 is another app, and Quick ICD-10 is a third app. I don't use the Quick ICD-10, but I can definitely recommend the first two.  Again, these apps make it easy to search and find the most appropriate ICD-10 coding. If you have a description of the code, it will give you the ICD-10 code.

ICD-10 codes have three to seven characters, letters and numbers combined. The more characters there are, the more specific the diagnosis is. The first three characters of an ICD-10 code are the category. The next three characters are the etiology of the diagnosis or the anatomic site. Where is it? How severe is it? What is the laterality  - right or left? Then the last or the seventh digit is the extension code. Not all ICD-10 codes are eligible for an extension code. So, you will need to check the manual and/or the app to find out if it is eligible or not. 

ICD-10 Extensions

Extension codes are primarily used to document the episode of care, or where the patient is in the episode related to injuries or external causes, and is always the seventh digit in the code. There are several options for extension codes.  "A" is used for the initial encounter.  For example, you see in a medical record an "A" at the end of the fracture code. That describes that the fracture just happened, and the patient is receiving active treatment for the injury or something else that happened externally to them.

If you see that same fracture code, but it had a "D" at the end, that's a subsequent encounter which means the patient is past the active treatment phase, but they're still receiving some care for that injury because they're recovering and healing during that point. This is generally where we, as service providers, come in.  We are not typically involved in the "A" diagnosis.  We typically start seeing the patient when that extension has changed to a "D."  

The final extension that applies to us is the sequela, or "S," extension. Consider the same example of a leg fracture. If you see an "S" extension on the code, that indicates a complication. There is a condition such as a fracture, they did a revision, and then there was an infection that came about. As a result, the patient had chronic pain and fatigue, and major issues with the leg after the fracture happened. The "S" extension is used because routine healing and recovery have already happened, but now there's a chronic condition that's lasting much longer. Often in the medical field, we call that sequela extension a 'late effects.' So, you would say, "Elder patient has late effects from the fracture."

Practical Applications for SLPs

What are some practical applications for SLPs? It's good to know that ASHA has our back, and we don't have to look for annual updates for ICD-10 codes. They do it for us, which is wonderful. Here is the website for that: https://www.asha.org/siteassets/uploadedfiles/icd-10-codes-slp.pdf. They are updated annually on October 1st.  ASHA gets all of the ICD-10 codes and provides a list of those that apply specifically to speech-language pathology. 

Another important point is that you have to use the most specific ICD-10 code available. If you don't have enough clinical information, you can use one with a descriptor that says "unspecified." But if you have a more specific code, the manual says you should use that more specific code. Also, if you don't have a definitive diagnosis established, you can still report an ICD-10 code for the symptom you're noticing during the evaluation, even if there's an unknown etiology and you're not sure why.

Here's an example. Let's say you are evaluating a patient and notice they have some dysarthric behavior, but you don't know if they've had a stroke.  There is nothing in the medical record stating that they have cerebral vascular disease, that they've had a TIA, etc. So, you don't know why it's happening, but you see it on your evaluation. You can use R47.1, which is signs and symptoms involving speech dysarthria.  If you did know the patient had cerebral vascular disease, and that was likely the etiology of the dysarthria, then you would use the more specific code I69.822. Again, you can always code a sign or a symptom, even when you don't have the etiology. But that should be very clearly documented in your evaluation.

Coding for CVAs. When coding for 'late effects' of a CVA, meaning a patient has a CVA and comes to you for rehab because they have complications or conditions such as aphasia, dysarthria, or dysphagia, use the I69 category for coding that ICD-10 code. That I69 category includes all neurological deficits and swallow deficits that persist after the patient has had a CVA. So, specifically for dysphagia practical application, if you have a patient who has dysphagia following a CVA, you would code the etiology of the dysphagia and the specific type of dysphagia (e.g., I69.391- dysphagia following cerebral infarction AND R13.11 - dysphagia, oral phase). You would use both of those codes together, which documents that you know  A) where the dysphasia is coming from and B) what type it is. That's specific to dysphasia following a CVA.

Selecting Medical and Treatment ICD-10 Diagnoses.  It's also important to remember when to select and how to select a medical diagnosis and a treatment diagnosis using ICD-10. When we are doing evaluations in inpatient acute outpatient, home health, and skilled nursing facilities, we are often given a list of codes, and we choose the medical diagnosis that's the most appropriate for our plan of care. That medical diagnosis has to be an active diagnosis, listed in the patient's record, and support why the patient needs rehabilitative services. When I choose a medical diagnosis, I consider several questions.  What's the problem? What's the etiology of the problem? What's the genesis of it? And what is directly impacting why the patient needs an evaluation? All of that information helps to determine the medical diagnosis. 

Your treatment diagnoses are the diagnosis codes that support the deficits that are a result of that etiology. An example would be if a patient had a CVA, that would be the medical diagnosis, and then the treatment diagnoses would be all of those symptoms or conditions that occurred that require your services to treat.

CPT Codes 

 CPT stands for Current Procedural Terminology and is published and maintained by the American Medical Association. These codes are used to describe tests, surgeries, evaluations, and anything else performed by a healthcare provider. It is an important part of the billing process because CPT codes tell the payer what procedures we provided and that we would like to be paid.

CPT codes work in conjunction with ICD-10 codes to essentially provide a quick, full picture of the patient's needs and the medical process. When you think about CPT codes and ICD-10 codes together, a patient arrives with symptoms as represented by the ICD-10 codes, and then we performed certain procedures represented by the CPT codes that we build.

CPT Code Format. CPT codes are five characters long. They can be numeric or alphanumeric, meaning a combination of letters and numbers, depending on what category the CPT code is in. We don't want to confuse the category with ICD-10. Remember, the first three digits of an ICD-10 code are the category that the patient's diagnosis is in. For CPT codes, the category refers to what kind of code it is.

There are three categories, and we are the most concerned with Category I. It's the most common, it describes procedures performed by healthcare providers, and it's divided into six sections. Our codes fall in the 'medicine' section, with the five digits that begin with a nine. That's where most of our codes are found.

Timed versus Untimed. The CPT codes that we utilize are primarily procedure based. They are untimed, or what I like to call 'event-based' codes. That means that the CPT code is reported one time and it's billed one time, regardless of how long the treatment occurred. But we do have a few CPT codes that are timed, and the most common ones are:

  • Cognitive development, initial 15 minutes
  • Cognitive development, each additional 15 minutes
  • The first hour of a speech-generating device (SGD) evaluation
  • Each additional 30 minutes of the SGD evaluation
  • Cognitive performance testing, per hour
  • Aphasia evaluation, per hour
  • The first hour of an aural rehabilitation evaluation
  • Each additional 15 minutes of the aural rehabilitation evaluation

Let's look at the first two - cognitive development, the initial 15 minutes and cognitive development, each additional 15 minutes. Medicare has established minimum and maximum times for 15-minute codes. Most payers have adopted the same policy, which is a little confusing. But the minimum time for a 15-minute code (e.g., cognitive development) is eight minutes.  So even though it states "initial 15 minutes," if you reach that threshold of eight minutes, you can bill one unit of that cognitive development code. For Medicare, one unit means 8-22 minutes. Two units is 23-37 minutes. Three units is 38-52 minutes. Four units is 53-67 minutes. Five units is 68-82 minutes (That's a long treatment.). But you do get paid per unit for the CPT codes that are listed.  One final point, if it says "per hour," you have to reach 31 minutes in order to build that code. That's a requirement. Again, that's the minimum threshold for that code.

CPT Evaluation Codes. We don't have many evaluation codes to choose from. The most common ones are 92521- 92524 for speech, language and cognitive-linguistic evaluations. 92610 is used for swallow evaluations. A speech-language eval and a swallow eval can be completed on the same day if needed. And, these evaluation codes are untimed. That means, however long it takes, you bill it once, and that's what you get reimbursed for. I am asked all the time from a compliance standpoint, "What is a normal evaluation time?" There isn't one. Each individual evaluation should be determined by the clinician based on the patient's needs. There's no specific time or a "normal" evaluation time.

CPT Treatment Codes. The most common CPT treatment codes are:

  • 92507 Speech-language treatment
  • 92508 Speech group treatment
  • 92526 Swallow treatment
  • 97129/97130 Cognitive development training

Again, I am often asked, "What's a typical time for an untimed code?" Ultimately, it comes down to the clinician's judgment and what they feel is important. Untimed codes have an underlying typical time associated with each code, and those times are derived from surveys of SLPs that ASHA, in conjunction with the American Medical Association, comes up with. If you wanted to see them, look up "physician time file." It is publicly available through CMS. But they are just guidelines, and they make it clear that there is no hard and fast rule about minimums.

Practical Applications for SLPs

ASHA has a superbill template with the most commonly billed CPT codes on its website. Remember, even though untimed codes don't include a time unit in their descriptors, meaning you can bill them and get reimbursed once regardless of the duration of the treatment, some underlying times have been used to determine the value of the evaluation or treatment. Those times can be found under the physician time file if you want to look that up. You can also search for CMS's value of each CPT code (link: https://www.cms.gov/medicare/physician-fee-schedule/search), and that will vary. For example, if you have a contract with a managed care plan or private insurance, you may have agreed to a different rate. The rate will be based on the contract or the insurance plan. 

Ultimately, you should know what codes you bill, which ones are timed, and which ones are untimed to ensure that you're accurately reporting and billing correctly.

Coding Case Study: Using ICD-10

Here's a quick case study. Mrs. Hernandez is referred for an evaluation due to a new onset of dysphagia. Pertinent medical history includes a cerebral infarction that happened about a week ago, hypertension, diabetes, previous TIAs, and diabetic neuropathy. The evaluation notes the presence of oropharyngeal dysphagia, and the clinician recommends dysphagia treatment. Based on this information, what is the medical diagnosis and what is the treatment diagnosis?

For the purposes of this case study, the clinician chose cerebral infarction. It just happened, and as a result, the patient had dysphagia. So, she chose the medical diagnosis code I63.9, and the treatment diagnosis would be dysphagia following cerebral infarction (169.391). She also coded dysphagia oropharyngeal phase (R13.12) because that's what the evaluation indicated.

Her evaluation took 64 minutes and her first treatment session, which was a couple of days later, was 52 minutes. So, which CPT code do you use, is it timed or untimed, and how do you allocate your minutes?

CPT code 92610 is used for billing the swallow evaluation. Remember, that evaluation is untimed, so you'll bill all 64 minutes under that code. And you will be billed for one unit of 92610 by the payer. For the treatment that happened a couple of days later, you're going to bill 92526, which is for swallow treatment. Again, swallow treatment is untimed, so you will get one amount regardless of treatment time. So, you will bill all 52 minutes under 92526, and you'll be reimbursed for one unit of that code.


Let's move on to HIPAA and PHI. HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996. Ultimately it consists of two rules, the privacy rule and the security rule, which are overseen by the Department of Health and Human Services. They are also enforced by the Office of Civil Rights (OCR). Violations of HIPAA can come with some pretty significant fines.

Rule I: Privacy Rule

Rule I essentially states that a covered entity cannot use or disclose Protected Health Information (PHI), except either 1) as the privacy rule allows or 2) as the individual (or the patient's personal representative) authorizes in writing. You either have to have a reason for using PHI, or the patient or representative has to authorize its use.

What is PHI? PHI is protected health information and is essentially anything that can identify a patient or for which there is a reasonable basis to believe that it could identify the patient. PHI could be something as simple as initials. In other words, anything that could be used to identify a patient is considered PHI: name, address, birth date, social security number, room number, room number along with a patient's initials. So, we have to be very careful about using and disclosing PHI. 

How does that apply to us? When can you, as the SLP, use a patient's PHI? The acronym PTO stands for treatment, payment, and operations and you can always use a patient's PHI when it involves treatment, payment for a service, or healthcare operations. When disclosing a patient's PHI, you must follow a Minimum Necessary Standard. This means you don't give out any more information than you have to. You keep it to the bare minimum. If there is a request for disclosing PHI that's not for payment, treatment, or healthcare operations (PTO), then you must have authorization from the patient in writing to release it.

Rule II: The Security Rule

The Security Rule requires us to maintain a reasonable administrative technical and physical safeguard for protecting electronic PHI. Specifically, with covered entities (i.e., healthcare organizations), we must ensure that the patient's e-PHI remains confidential and available when transmitted. The e-PHI might need to be encrypted. Covered entities have to protect against anticipated threats like hackers to make sure that the patient's protected health information remains secure. We also have to ensure compliance by their workforce.

What does this rule mean for SLPs? First, it means that administrative safeguards need to be in place. You have to use secure messaging when using PHI. No text messages should be sent. You can't send an email to your supervisor using a Gmail account with your evaluation attached. You must use an encrypted system. Electronic medical records or electronic healthcare records have to be secure.

There should also be physical safeguards. How can you safeguard a patient's PHI? Don't leave your files lying around. You have to lock up your documents. I've been in clinics where there is a drawer that's never locked, and it's filled with all these papers on patients who have been discharged, or they're still there, or we just don't know what to do with them. You can't have documents lying around.

Passwords should be on all computers. Don't share your password with your friends or your coworkers. Computers need to have a timeout system so that others can't access the information if someone leaves a computer.

There should also be some technical safeguards in place.  You need to have a contract with any business associates who have access to your patients' PHI. For example, if you use a vendor, then you need to have a contract with them so that they understand the HIPAA policy and procedures, and are going to follow them.

HIPAA and PHI in Your Workplace

The top five HIPAA violations in the workplace are:

  • Employee Dishonesty - The employee is just looking at it because it's interesting.
  • Releasing the Wrong Patient’s Information - This happens all of the time when you have patients with the same or similar names; it's not typically malicious but still a HIPAA violation.
  • Gossiping/Sharing PHI - This is very, very common and typically happens when two coworkers are overheard talking about a patient.
  • Keeping Unsecured Records - That file that has all of the documents that no one knows what to do with - that is a HIPAA violation.
  • Unencrypted Data - The most common violation that I find is therapists texting and using their personal email accounts to talk about patients. That is a big no-no.

Helpful Tips to Avoid HIPAA Violations

Some ways to avoid HIPAA violations at work:

  • Don’t talk about a patient in an open area near others
  • Don’t take photos or videos of patients unless you have documented consent on file
  • Don’t share passwords
  • Keep all files locked up
  • Don’t text about patients. If you need to communicate about a patient, look for a platform with end-to-end encryption - WhatsApp, for instance, is an app that can go on your phone that provides end-to-end encryption. But if you utilize a device like a tablet or a phone to utilize WhatsApp, it has to be safeguarded with a password.
  • Don’t provide more patient information than you need to for treatment, payment, or healthcare operation (PTO) purposes
  • Before you release ANY patient information to ANYONE, make sure you have a consent on file or that the release falls under PTO
  • Don’t access patient records without a valid purpose 

Can you be fired for violating HIPAA? Yes. But if it's considered unintentional, you didn't mean to, or you did it in good faith, it would likely not result in disciplinary action.

I do have a couple of cautionary tales. This first one involves a medical technician that was working at a hospital and saw a patient who came in dead on arrival from a car wreck. The technician sees an article about the car crash and comments on social media that the person should have worn her seatbelt. Somebody responded to her comment, asking, "Did you know her? Were you working?" The medical technician says, "Yeah, I was working when she came into the ER."  She ended up losing her job because that was a HIPAA violation. 

Here's another scenario. We had a nurse who was talking to a patient who was about to have a procedure. The physician and technician came in before the procedure, and the nurse told both of them that they needed to wear gloves because the patient has Hepatitis C. The patient filed a formal complaint against the hospital because she said the nurse spoke too loudly and other staff and patients heard her.  The nurse was terminated for a HIPAA violation.

How to Report HIPAA Violations

First, always take that report to your employer. But if no action is taken, report it to the Office of Civil Rights (https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf.) Your complaint must:

  • Name the related entity or business associate (BA)
  • Describe the situation, including all the acts or omissions you thought disrupted the conditions of the security or privacy rules within HIPAA
  • And be filed within 180 days of the day of the violation you know about. Also, note that the OCR may extend the 180-day period if you can show “good reason"

Healthcare Laws that Govern Our Documentation: Rules for SLPs to Live by

I want to talk briefly about some healthcare laws that govern our documentation. Here's a non-comprehensive list of the entities that govern healthcare documentation (I'm sure I missed a few):

  • Medicaid
  • Medicare
  • Commercial Payers
  • Office for Civil Rights (OCR)
  • Department of Justice (DOJ)
  • Office of Inspector General (OIG)
  • Department of Health and Human Services (HHS)
  • Individual entities, such as hospital systems, SNFs, HH agencies, etc. based on policy and procedure
  • State practice acts/state licensure boards 

Rule #1: Know the Governing Laws of Your State

Let's discuss a couple of rules to live by. First, you have to know the governing laws of your state. The more stringent the law, that's the one that you follow.  So, if the state law is more strict than the federal law, you have to follow the state law.

As an SLP, you need to know your practice acts. You also need to know the policies and procedures of where you're practicing as well as the guidelines of the organization for which you are working.

Within the board of SLP regulations, depending on your state, you can find a lot of guidance and support, especially when there are gray areas. I would definitely seek some clarification through them. Part of the duty of knowing the governing laws in your state is understanding that, regardless of the state, it is your duty to provide complete and accurate reporting and documentation.

Rule #2: Ignoring Government Regulations Don’t Make Them Go Away

Ignoring the government and its regulations do not make them go away. They impact almost every aspect of our setting. And more recently, they're requesting healthcare records often to review the documentation to ensure that no fraud, waste, or abuse happened.  In 2020, Medicare said they improperly paid about 6.27%, which was almost $26 billion. So they are very focused on trying to recoup that money.

Rule #3: Understand the False Claims Act

You have to understand the False Claims Act (FCA). The FCA applies to providers, beneficiaries, and health plans doing business with the federal government. Violating the FCA can cost you a ton of money. So how does that apply to you?  If you knowingly present a false claim for payment, you are violating the FCA. If you use a false record or a statement, or you make a fraudulent claim, that's also a violation of the FCA. If you conspire, let's say you're not the one doing the billing, but the biller is doing the billing for your services and you know about it, that violates the FCA. Knowing, making, using, or causing to be a false record to be made, meaning you're documenting some things that you did not do, that's a violation of the FCA.  The FCA even says that even if you don't do it intentionally, you could still be in violation of the FCA.

Unintentionally documenting services where your documentation doesn't look medically necessary could be seen as violating the False Claims Act. So, we want to be very careful about that. If you bill for services you didn't do or if you provide medically unnecessary services, those are also violations.

If you up code, meaning you perform two units but you bill four, that's also a violation. I have included a cautionary tale about an SLP who did just that, and she is now in prison for ten years in Texas.

FCA and Qui Tam Provisions.  The False Claims Act does provide protection for employees who report instances of fraud. This is called the Qui Tam Provision, which allows private citizens to sue on behalf of the government and receive a portion of recovery if fraud is found. If you are aware of fraud, waste, or abuse that happens in your workplace, you should always notify your company's compliance department first and allow them to do an internal investigation and report to Medicare as needed. You can report those findings to: https://oig.hhs.gov/fraud/report-fraud/.

Rule #4: Know Your Payers 

Each payer has rules, requirements, and guidelines that govern documentation to support the reimbursement of the claims that you or the organization you work for is submitting. Below is a list of the manuals that apply to the various settings we work in.

  • Chapter 4  - Managed Care
  • Chapter 7  - Home Health
  • Chapter 8  - Part A SNF
  • Chapter 15 - Part B SNF/Outpatient

It's important that you know where to find those. If you search, "CMS Chapter four," you will find the managed care manual. 

HIPAA Case Study #1

Here is a case study. Joni is a new SLP at an outpatient clinic. She takes a video of patient J.M. swallowing a cracker, texts the video to her supervisor, and says, "This is my 10:00 a.m. patient, J.M. I'm treating him for oropharyngeal dysplasia. Do you see a swallow delay?"

Did Joni violate HIPAA? It depends on what platform she used to communicate the information. If Joni utilized an encrypted platform and had consent from the patient, then that information would've been used for treatment purposes, and she would not have violated HIPAA. However, if she had texted it using her personal phone and provided the text on an unencrypted server, then it is floating around in the cloud somewhere, and it's a violation of HIPAA.

HIPAA Case Study #2

Sam is an SLP at SNF, and he evaluates a patient after she is admitted for a skilled stay. Following the eval, Sam goes to the gym and tells the physical therapist, who is across the room treating another patient, that Ms. Jones in room 301 has non-weight-bearing precautions, and he (the PT) needs to check her orders before doing his eval. Did he violate HIPAA? Yes. He disclosed another patient's PHI while violating HIPAA's privacy rule. Why? Because another patient was present. If Sam had discussed the patient's case in the rehab office with no other person present, then he was disclosing PHI for the purposes of treatment, and that wouldn't have violated HIPAA. But because somebody else was present, a violation of HIPAA did occur.

HIPAA Case Study #3

Gloria is an SLP in an inpatient hospital, and before every treatment, she takes the patient's vital signs and writes them on a post-it note so that she can document them in the chart after the session. At the end of the day, she forgets her post-it note with all of her vitals at the nurse's station. Did she violate HIPAA? Were there patient identifiers on the post-it note? If she wrote every patient's name or room number along with the vitals, then yes, she would've been disclosing PHI. If they were just vital signs listed on a sticky note with no patient identifier information, then there would be no way to tie those back to patients, it would be aggregate data, and it would not be a HIPAA violation.

Questions and Answers

As an out-of-network, private practitioner, what am I required to do to protect invoices I email to my clients?

As long as you are on an encrypted platform, you should be fine because you are providing that information as a result for payment purposes. You just have to ensure that your email system is secure and that you're not using something like Gmail or AOL or Yahoo, etc.

How about using Microsoft Word to write up evals and treatment? Is Word encrypted?

It is less about Microsoft Word and more about the platform that you're on. So if you're keeping those on a computer that's password protected and you're not transmitting those, then you're not in violation of anything. The question is, how are you getting those to the powers that be, and that's what you're going to have to consider.


AHIMA's Long-Term Care Health Information Practice and Documentation Guidelines (2014). https://bok.ahima.org/Pages/~/link.aspx?

American Speech-Language-Hearing Association (n.d.). Documentation in Health Care (Practice Portal). Retrieved April 1, 2022 from www.asha.org/Practice-Portal/Professional-Issues/Documentation-in-Health-Care/.

ASHA. ICD-10-CM Diagnosis Codes for Audiology and Speech-Language Pathology. Retrieved April 1, 2022 from https://www.asha.org/practice/reimbursement/coding/icd-10/.

ASHA. Reporting SLP Services Using Service-Based CPT Codes. Retrieved April 1, 2022 from https://www.asha.org/practice/reimbursement/coding/servicebased/

CMS. (Updated 4/1/2022). Search the Physician Fee Schedule. https://www.cms.gov/medicare/physician-fee-schedule/search

Garrett, P., & Seidman, J. (2011, January 4). EMR vs. EHR–What Is the Difference? Office of the National Coordinator for Health Information Technology. Health IT Buzz. Retrieved October 14, 2015, from https://www. healthit.gov/buzz-blog/electronic-health-and-medical-records/emr-vs-ehr-difference/

GurusWay. (2021). How to Treat HIPAA Violations in the Workplace. https://gurusway.com/health-fitness/hipaa-violations-in-workplace-faq/#What_are_the_top_5_common_examples_of_HIPAA_violations_infringements

HIPAA Journal (10/19/2017). Termination for Nurse HIPAA Violation Upheld by Court.  https://www.hipaajournal.com/nurse-hipaa-violation/.

Lopez, A. (2018). Permitted Uses and Disclosures of PHI. https://www.hipaa-associates.org/permitted-uses-and-disclosures-of-phi/

Shook, J. (2019). HIPAA Demystified, Part 1: What is HIPAA? https://www.privatepracticeslp.com/blog/hipaa-demystified-part-1-what-is-hipaa

Swanson, S. (2018). The Right Time for Billing Codes. ASHA Leader. https://doi.org/10.1044/leader.BML.23032018.30

U.S. Department of Health and Human Services. Office of the National Coordinator for Health Information Technology. What Is an Electronic Health Record (EHR)? Retrieved October 14, 2015, from https://www.healthit. gov/providers-professionals/faqs/what-electronic-health-record-ehr

U.S. Department of Health and Human Services. Office of the National Coordinator for Health Information Technology. (2014). Connecting Health and Care for the Nation: A 10-Year Vision to Achieve an Interoperable Health IT Infrastructure. Retrieved October 13, 2015, from https://www.healthit.gov/sites/default/files/ ONC10yearInteroperabilityConceptPaper.pdf. 


Collier, M. (2022). Healthcare Documentation, Coding and HIPAA Requirements: An SLP's GuideSpeechPathology.com. Article 20538. Available at www.speechpathology.com

To earn CEUs for this article, become a member.

unlimited ceu access $129/year

Join Now

melissa collier

Melissa Collier, MS, CCC-SLP, CHC, CDP

Melissa Collier received her Master's degree in Speech-Language Pathology from Texas Christian University and actively holds a Certification in Healthcare Compliance. She has extensive clinical experience in post-acute care, having worked in skilled nursing and home health settings for the last 13 years. Melissa is a subject matter expert in post-acute care reimbursement, denials and appeals, and documentation compliance.
Melissa currently serves as the Vice President of Clinical Quality and Compliance for Continuum Rehab Group where she provides clinical education, develops and implements clinical programming, and oversees CRG's denials and appeals department and compliance program. She has previously written and presented continuing education courses in the areas of documentation, dysphagia, and dementia for the Texas Speech-Language and Hearing Association, ASHA, and other online continuing education platforms.

Related Courses

Treating in the Gray Zone: Post-Acute Care Considerations
Presented by Melissa Collier, MS, CCC-SLP, CHC, CDP
Course: #10066Level: Intermediate1 Hour
This course helps post-acute care clinicians better understand how to approach treatment when things aren’t black and white. It addresses scenarios such as geriatric frailty/weight loss and diet modification, the paradigm shift to a patient-choice model, legal considerations regarding diet waivers, and the care plan process. The SLP's role on the post-acute interdisciplinary team is also discussed.

Building Your Case for Medical Necessity: The Nuts and Bolts of Skilled Therapy Documentation
Presented by Melissa Collier, MS, CCC-SLP, CHC, CDP
Course: #9839Level: Introductory1.5 Hours
This course provides participants with an understanding of documentation requirements in a post-acute setting, including Medicare regulations and guidelines. It identifies why speech therapy services are denied and ways to mitigate the denial of skilled services, and describes how to document medical necessity.

Healthcare Documentation, Coding, and HIPAA Requirements: An SLP's Guide
Presented by Melissa Collier, MS, CCC-SLP, CHC, CDP
Course: #10130Level: Introductory1 Hour
This course provides an overview of the components of healthcare documentation and International Classification of Diseases, 10th Revision (ICD-10) coding. Laws related to medical records, including Health Insurance Portability and Accountability Act (HIPAA) requirements, are also reviewed.

Back to Basics: Let's Talk Data Collection
Presented by Marva Mount, MA, CCC-SLP
Course: #9246Level: Introductory1 Hour
This course will examine a variety of data collection options for the speech-language pathologist, primarily in the school-based setting.

AAC: Taking the ‘OMG’ out of Report Writing and Treatment Planning
Presented by Kim Winter, MA, CCC-SLP
Course: #10536Level: Intermediate1.5 Hours
This course describes how to document augmentative/alternative communication (AAC) assessment outcomes and treatment planning for adult clients, in order to obtain funding of a speech-generating device (SGD) via Medicare or other third-party payers. Medicare SGD coverage, access methods to assess, required evaluation report elements, and client competencies to target in goals and treatment are discussed.

Our site uses cookies to improve your experience. By using our site, you agree to our Privacy Policy.