Clinical & Financial Guides

The Practice Management Archive.

125 plain-English playbooks for the moments a medical practice actually deals with — audit letters, denied claims, HIPAA obligations, payer policy, specialty rules, state overlays. Every guide is source-grounded against HHS, OCR, CMS, eCFR, NIST, and the state regulators we cite. No marketing claims, no fabricated stats.

Start with the situation

What brought you here today?

Situation 01

I just got an audit or inspection letter.

OCR audit, Medicare ADR, DEA on-site, CMS-855 revocation — the response window is already running. Start here.

Situation 04

I'm working on my HIPAA Security Risk Analysis.

Specialty-specific risk profiles, cadence rules, vendor risk, the policies template, and what the MIPS attestation actually requires.

Situation 05

I'm starting or buying a practice.

BAA template, privacy + security officer roles, encryption baseline, training curriculum.

Editor’s Desk

Jump to full index →
Tier I — Compliance

HIPAA, audits, and the everyday compliance program.

Plain-language playbooks for audit letters, breach windows, regulatory deadlines, specialty obligations, and state overlays. 80 guides covering Emergency Response, Compliance Foundations, Medicare & Payer, Specialty, and State.

Emergency Response

Additional Documentation Request (ADR): How to Respond Inside the Window

Medicare ADR response windows are contractor-specific (45 days for MAC/SMRC/RAC, 30 days for UPIC). Miss the window and the claim auto-denies. Here is the procedure that actually works.

7 min read
Specialty Compliance

Ambulatory Surgery Center Compliance: CMS + State + Infection Control

42 CFR Part 416 Conditions for Coverage, CMS State Operations Manual Appendix L, the ASC Infection Control Surveyor Worksheet, and where state ASC licensure tightens the standard.

9 min read
Compliance Foundations

Annual HIPAA Training Curriculum (What to Cover + How to Document)

A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.

10 min read
Compliance Foundations

Anti-Kickback Statute: What Medical Practices Actually Need to Know (42 USC § 1320a-7b(b))

The federal Anti-Kickback Statute is intent-based, criminal-grade, and the most common fraud-and-abuse theory in OIG enforcement. Here is what AKS actually prohibits, how the safe harbors function, and where practices get caught.

9 min read
Specialty Compliance

Behavioral Health Compliance: 42 CFR Part 2 + HIPAA Together

How SAMHSA's 42 CFR Part 2 framework for substance use disorder records overlays HIPAA after the 2024 final rule alignment, and what behavioral health practices must document.

8 min read
Emergency Response

Breach Risk Assessment: The 4-Factor Analysis Required by 45 CFR 164.402

After a possible PHI incident, the four-factor breach risk assessment at 45 CFR 164.402 determines whether you notify. Do it in writing, do it on the record.

9 min read
Compliance Foundations

Business Associate Agreement Template (2026) + Counterparty Tracker

A 2026 HIPAA Business Associate Agreement template with every 45 CFR 164.504(e) required clause, plus the vendor tracker auditors expect alongside it.

10 min read
State Compliance

California Healthcare Compliance: CMIA + HIPAA — Where They Diverge

California's CMIA (Civ. Code §§ 56–56.37) vs HIPAA: stricter consent, 5-working-day inspection / 15-day copy access, private right of action, up to $25k per knowing-and-willful violation + misdemeanor exposure.

9 min read
The product underneath these guides

The Security Risk Analysis.

The guides explain what the rules say. The SRA is where you actually assemble the documentation a practice needs when a reviewer asks — policies, workforce training logs, BAAs, sanction records, the lot — into one review-ready binder. Administrative documentation aid, not legal advice.

Tier II — HIPAA Security Risk Analysis

The SRA reference library, written for small practices.

The HIPAA Security Risk Analysis is the most-cited deficiency in OCR enforcement actions. These 22 guides cover the rule itself, the audit process, vendor risk, training, breach response, and specialty-specific risk profiles.

Vendors and BAAs

BAA Vendor List: Which Vendors a Small Practice Needs to Sign With

A working list of the vendor categories a small practice typically needs a Business Associate Agreement with under 45 CFR 164.504(e), plus how to handle subcontractor chains.

5 min read
Audits and Enforcement

Change Healthcare Ransomware: What Small Practices Took Away

The February 2024 Change Healthcare cyberattack, what HHS and UnitedHealth Group disclosed, and the small-practice lessons about clearinghouse concentration risk, contingency planning, and the Security Rule's information system activity review.

6 min read
Foundations

CMS Promoting Interoperability and the Security Risk Analysis Attestation

How the CMS Promoting Interoperability program (formerly Meaningful Use) requires a HIPAA Security Risk Analysis for each EHR reporting period, what the attestation actually claims, and how CMS audits it after the fact.

5 min read
Tooling

The HHS SRA Tool vs Paid HIPAA Risk Analysis Options

What the free HHS/ONC Security Risk Assessment Tool actually does, where it stops, and how to evaluate paid alternatives without overpaying for what the free tool already covers.

5 min read
Audits and Enforcement

The HIPAA Breach Notification Rule, Explained

The four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).

6 min read
Administrative Safeguards

HIPAA Contingency Plan for a Small Practice

What the Security Rule contingency plan standard at 45 CFR 164.308(a)(7) actually requires, including data backup, disaster recovery, emergency mode operation, and testing — for a small practice.

5 min read
Technical Safeguards

HIPAA Encryption Requirements for ePHI

What the Security Rule actually says about encryption at 45 CFR 164.312(a)(2)(iv) and 164.312(e)(2)(ii), the safe harbor under the Breach Notification Rule, and what 'addressable' means in practice.

5 min read
Audits and Enforcement

HIPAA Settlements and Civil Money Penalties: A Small-Practice Reading List

How HHS Office for Civil Rights publishes its enforcement record, the tiered civil money penalty structure at 45 CFR 160.404, and what recent small-practice settlements actually say.

5 min read
The product underneath these guides

SRA Binder Studio.

The guides explain what an SRA requires. The Studio is the assisted workflow a practice uses to actually produce one — discovery, threat model, controls, gaps, and a source-cited binder for payer, BAA, or internal review. Try the free 5-question readiness check first.

Tier III — Billing

Codes, modifiers, denials, and the money on the table.

Plain-English answers to the billing questions that come up in primary care every day — E/M selection, modifier rules, NCCI bundling, denial appeals, payer policy. 23 guides, written for the biller who needs the answer in under a minute.

HIPAA Compliance

HIPAA Security Risk Assessment Checklist for Small Practices

A practical, action-oriented Security Risk Assessment checklist for 1-10 provider practices. Covers the nine OCR elements, asset inventory, addressable specs, and how to document evidence.

7 min read
HIPAA Compliance

Business Associate Agreement Checklist for Small Practices

A working checklist for small practices to identify which vendors need a Business Associate Agreement, what clauses the BAA must contain, and how to track them.

6 min read
HIPAA Compliance

HIPAA Training Log Requirements for Small Practices

What HIPAA actually requires for workforce training, what your training log should contain, and how long to keep it. Built for small practices and office managers.

6 min read
HIPAA Compliance

Risk Register and 30/60/90 Remediation Plan: A Practical Guide for Small Practices

A practical template for turning your Security Risk Assessment into a living risk register plus a 30/60/90 remediation plan, with the CFR anchors small practices need.

6 min read
E/M Coding

99214 vs 99215: When to Bill Each Code

Learn the difference between 99214 and 99215: when each applies, what documentation you need, and the $40/visit revenue impact.

6 min read
Modifiers

Modifier 25: When to Use It and Common Mistakes

When to use modifier -25, when to skip it, and the common mistakes that trigger audits and denials.

5 min read
Denials

Medical Billing Denial Codes: What They Mean and How to Fix Them

CO-4, CO-97, CO-16, PR-96 and more. What each denial code means and exactly how to fix it.

8 min read
Denials

How to Appeal an Insurance Denial: Step-by-Step Guide

Claim denied? Step-by-step appeal process with payer deadlines, denial code fixes, appeal letter template, and escalation options.

12 min read
The complete archive

All 125 guides, alphabetical.

Every guide in one flat index. Use your browser’s find (Ctrl/⌘F) to jump to a topic.

Compliance80 guides

Family index →

HIPAA Security Risk Analysis22 guides

Family index →

Billing23 guides

For paying practices

Stop reading guides. Start running the workflow.

The Archive is free and stays free. The workspace — Ask D3 for billing research, the Denial Workbench, Revenue Audit, and the Templates engine — is where these guides become the daily workflow your billing team actually runs.