HIPAA for Medical Coders: PHI Access, Minimum Necessary, and Audit Risk

Medical coders read complete clinical documentation - physician notes, operative reports, lab results, discharge summaries, imaging reports - and assign the ICD-10 diagnosis codes and CPT procedure codes that drive billing and reimbursement. No other role in a typical clinic reads as many full patient records as consistently as coders do.

That access level is necessary for accurate coding. It also creates the broadest ongoing PHI exposure in the workforce. HIPAA does not restrict clinical access for coders - it requires that access to be purposeful, logged, secured, and revoked promptly when it is no longer needed.

This guide explains those requirements for coders working in-house, as employees, or through outsourced coding arrangements.

What PHI coders access and why it matters under HIPAA

To assign a code correctly, a coder must read the clinical record in enough detail to understand what condition was present and what was done. That means access to:

• Physician and provider notes (SOAP notes, progress notes, consultation reports)
• Operative and procedure reports
• Pathology and lab findings
• Radiology reports
• Discharge summaries
• Prior authorization documentation

Each of these documents is PHI. A coder working a full-day queue may touch hundreds of patient records. That volume is the source of both the role’s usefulness and its compliance risk.

The minimum necessary standard in the coding context

45 CFR §164.514(d) requires that access to, use of, and disclosure of PHI be limited to the minimum necessary to accomplish the intended purpose. HHS guidance confirms that covered entities must implement policies and procedures that identify classes of workforce members who need access to PHI and limit access to the minimum necessary for those roles.

For coders, minimum necessary does not mean accessing only part of a clinical note. A coder who reads only the assessment section of a note without the history and supporting documentation will produce incomplete or inaccurate codes. Full record access for records under active coding assignment is appropriate.

Minimum necessary in the coding context means:

Limiting access to assigned records. A coder should not open records for patients not in their active coding queue. Curiosity about a patient’s record - even one they previously coded - is not a permissible basis for access.

Not retaining copies of records. Coders should not download, print, or copy clinical records beyond what is required for the coding task. Once a record is coded and submitted, copies should not persist on local devices or personal storage.

Not using records for secondary purposes. A coder who accesses patient records to assist a colleague in a non-coding task, to look up a patient’s contact information for personal reasons, or to assist another department’s inquiry has exceeded minimum necessary. Those requests should go through the appropriate clinic process.

BAA requirements for outsourced coding

Outsourced coding is common - many clinics use third-party coding companies to handle overflow, specialties, or full coding operations. Those companies receive PHI from the clinic and are business associates under HIPAA.

The clinic must execute a signed HIPAA BAA with every outsourced coding company before that company accesses any clinical records. This applies regardless of the size of the coding firm or the volume of records involved. A national coding vendor with thousands of clients and a solo contractor working remotely both require BAAs.

The BAA must include:

• Permitted uses of PHI (coding and related quality review only)
• Security requirements (Security Rule compliance, including technical safeguards)
• Subcontractor obligations (if the coding company uses sub-vendors or offshore staff, those arrangements must be covered)
• Breach notification to the covered entity
• Return or destruction of PHI upon termination

Coders employed by an outsourced coding company should understand that their employer’s BAA with the clinic defines the boundaries of permissible access. Accessing records outside the scope of the coding assignment - for any reason - is a potential violation of that BAA.

Audit trail expectations for coding access

HIPAA’s Security Rule requires covered entities to implement hardware, software, and procedural mechanisms that record and examine access and activity in systems that contain or use electronic PHI (45 CFR §164.312(b)). For EHR systems used by coders, this means every record access - which coder, which patient record, which date and time - should be logged.

Audit log review should be part of the clinic’s ongoing compliance program, not a reactive measure taken only after an incident. For coding access specifically, periodic review should look for:

• Records accessed outside normal working hours for the coder
• High-volume record access that significantly exceeds the coder’s assigned queue
• Access to records for patients with whom the coder has no professional connection (family members, public figures, colleagues)
• Records accessed repeatedly that have already been coded and closed

Most EHR systems generate access logs automatically. The compliance obligation is to review those logs, not simply to have them. Clinics that generate logs but never review them have the appearance of compliance without its substance - and an HHS auditor will ask for evidence of review, not just evidence that logging was enabled.

Coders should be aware that their record access is logged. That awareness is appropriate - it reinforces professional boundaries and provides coders with protection if their access is ever questioned.

Offboarding: revoking access on the same day

One of the most common and consequential HIPAA failures in workforce management is delayed access revocation. A coder whose contract ends on Friday still having active EHR credentials on Monday represents an ongoing unauthorized access risk for every day that credential remains active.

Same-day revocation is the standard. When a coder’s employment or contract ends:

1. HR or the supervisor notifies IT or the EHR administrator on the last day - not at the end of the week, not when the paperwork is processed.
2. The EHR account and all clinical system access is deactivated that day.
3. Revocation is confirmed in writing and documented in the personnel file.
4. If the coder worked remotely, any VPN credentials, remote desktop access, and shared system credentials are also revoked.
5. If the coder used a clinic-issued device, that device is collected or remotely wiped.

For outsourced coding companies: the coding company’s client access credentials for the clinic’s EHR should be reviewed whenever a coding company employee who worked on the clinic’s account leaves that company. The coding company has an obligation under the BAA to manage its own workforce access - but the clinic should confirm that the company’s offboarding process removes access to the clinic’s records.

Work-from-home security for remote coders

Remote coding has become a standard working arrangement. It creates PHI risks that do not exist in a controlled office environment. Several requirements apply:

Approved devices. PHI must not be accessed or processed on personal devices. Clinic or company-issued devices with managed security configurations - antivirus, full-disk encryption, mobile device management - are the appropriate tools.

VPN for network access. When connecting to EHR systems or coding platforms remotely, the connection must travel over an encrypted VPN or direct secure connection. Accessing PHI over unsecured public Wi-Fi - at a coffee shop, a library, or an airport - is prohibited. Home networks are acceptable only when the connection to the clinic system is encrypted.

Screen privacy. A coder working at a home workstation with a full clinical record on screen should ensure that screen is not visible to other household members. Positioning the monitor away from foot traffic areas, using a privacy screen filter, and locking the session when stepping away are practical requirements.

No PHI on personal storage. Clinical records should not be downloaded to personal cloud accounts (personal Google Drive, Dropbox, iCloud) or saved to personal USB drives. If a coding platform requires local file processing, those files must remain on the approved device and be deleted once the coding task is complete.

Secure disposal. If printed materials are necessary - which should be rare and approved - printed PHI must be shredded, not placed in household recycling.

What to do if a record appears tampered or documentation seems fraudulent

Medical coders read a volume of clinical documentation that gives them unusual visibility into documentation patterns. A coder may encounter records where the documentation appears to have been altered, where notes seem to have been added after the fact to justify a higher-acuity code, or where the clinical picture described in the record does not match what the codes would imply.

This is a sensitive situation. The coder’s obligation is clear: report the observation through the clinic’s compliance reporting channel - typically the privacy officer or compliance officer - and do so promptly.

The coder should not:

• Alter, correct, or add to the record themselves
• Discuss the observation with the treating provider before involving compliance
• Discuss the concern with colleagues who are not in the compliance chain
• Delay reporting while deciding whether the concern is serious enough

Documentation concerns in clinical records can indicate billing fraud, which carries criminal liability under the False Claims Act in addition to HIPAA exposure. They can also indicate patient safety risks. Neither situation benefits from delay.

When reporting, the coder should document their own observation in writing: which record, the specific entry or pattern of concern, the date they observed it, and the date they reported it. That written record protects the coder and provides the compliance officer with specific information to investigate.

If the coder later believes their report was not acted upon and the concern involves suspected fraud against a federal payer (Medicare, Medicaid), they have the right to report directly to HHS Office of Inspector General. HIPAA and federal law protect healthcare workers who report good-faith compliance concerns from retaliation.