Medical Coding Audit Log — GMB Billing Firm

Section 1

Purpose of the Audit Log

The Medical Coding Audit Log is a security and compliance control maintained by GMB Billing Firm under the HIPAA Security Rule's Audit Controls standard (45 CFR §164.312(b)). The audit log records activity on the GMB Billing Firm coding platform to:

✓ Detect and document PHI detection events and user responses
✓ Verify de-identification confirmations before code generation
✓ Provide an evidence trail for HIPAA compliance audits
✓ Support breach investigation and incident response
✓ Demonstrate good-faith technical safeguards to regulators
✓ Protect GMB Billing Firm from liability for unauthorized PHI submissions

Section 2

Events Recorded in the Audit Log

🔐

Session Access Event

Timestamp, anonymized session ID, browser type, and general geographic region (state/country level). No IP address stored.

Logged

🚨

PHI Detection Event

Whether PHI patterns were detected, the category of PHI found (e.g., SSN, PHONE), and the user's response (warning acknowledged or PHI removed). No actual PHI values stored.

Critical — Always Logged

✅

De-ID Confirmation

Timestamp when user checked the "I confirm all PHI has been removed" checkbox. Records whether confirmation was obtained before code generation.

Logged

⚡

Code Generation Request

Timestamp of AI coding request, selected specialty and facility type (if provided), and whether PHI confirmation was on record. No clinical notes content stored.

Logged

📎

File Upload Event

File type (.txt or .pdf) uploaded, timestamp, and PHI scan result for the uploaded file. No file content or filename is stored in the audit log.

Logged

📋

Billing Assistant Usage

Timestamp and type of billing action (claim analysis, appeal generation, denial lookup). No claim data, clinical content, or appeal letter text is stored.

Logged

Section 3

What Is NOT Stored in the Audit Log

Patient Privacy Protection — No Clinical Content Logged

GMB Billing Firm does not log, store, or retain any clinical content submitted by users. The audit log contains only event metadata — timestamps, event types, and detection results — never the actual text, codes, or documents.

Data Type	Stored in Audit Log?	Reason
Clinical notes text	❌ NOT stored	Patient privacy — no clinical content retained
Generated ICD-10/CPT codes	❌ NOT stored	Coding output belongs to the provider
Claim data content	❌ NOT stored	Billing data not retained beyond session
Appeal letter text	❌ NOT stored	Provider-generated content not retained
Specific PHI values detected	❌ NOT stored	PHI category logged (e.g., "SSN"), never the actual value
Uploaded file content	❌ NOT stored	File content processed in-memory only
Patient identifiers	❌ NOT stored	No patient data ever stored by platform
Full IP address	❌ NOT stored	Only anonymized region (state level) recorded
Session timestamp	✓ Stored	Required for HIPAA audit controls compliance
PHI detection event type	✓ Stored	Compliance documentation for PHI incident review
De-ID confirmation	✓ Stored	Liability protection — proof of user attestation
Code generation request	✓ Stored	Audit trail for coding activity volume

Section 4

Sample Audit Log Entries

The following illustrates the format of audit log entries. All entries contain only metadata — no clinical content is ever included:

2026-04-22 14:23:01 UTC SESSION_START region=FL | browser=Safari/iOS | session=s_8f3a2d

2026-04-22 14:23:18 UTC FILE_UPLOAD type=PDF | phi_scan=TRIGGERED | categories=[DATE, MRN]

2026-04-22 14:23:18 UTC PHI_DETECTED categories=[DATE, MRN] | action=WARNING_DISPLAYED | blocked=true

2026-04-22 14:24:45 UTC PHI_SCAN_CLEAR resubmit=true | phi_detected=false | user_action=PHI_REMOVED

2026-04-22 14:25:02 UTC DEID_CONFIRMED checkbox=checked | timestamp=2026-04-22T14:25:02Z

2026-04-22 14:25:04 UTC CODE_GEN_REQUEST specialty=Pulmonology | facility=Outpatient | deid_confirmed=true | phi_clear=true

2026-04-22 14:25:06 UTC CODE_GEN_COMPLETE status=success | duration=2.1s

2026-04-22 14:26:33 UTC BILLING_ACTION type=CLAIM_ANALYSIS | status=complete

2026-04-22 14:28:11 UTC SESSION_END duration=5m10s | events=8

Note: categories=[DATE, MRN] records only the type of PHI detected — never the actual date or MRN value.

Section 5

Log Retention, Access & Security

Retention Policy

Audit logs are retained for a minimum of 6 years from the date of creation, consistent with the HIPAA documentation retention standard (45 CFR §164.530(j)(2)). After 6 years, logs are securely deleted using NIST 800-88 compliant data sanitization methods.

Access Controls: Audit logs are accessible only to authorized GMB Billing Firm compliance personnel and, upon valid legal request, to regulatory authorities (OCR, HHS). Covered Entities may request a summary of their organization's audit log data by contacting support@gmbcoding.com with their organization's domain information.

Log Integrity: Audit logs are stored in a write-once, append-only format with cryptographic hash chaining to prevent tampering. Log files are replicated across multiple secure locations and cannot be modified or deleted by any single user, including GMB Billing Firm administrators.

Security: All audit log data is encrypted at rest (AES-256) and in transit (TLS 1.3). Access to log systems requires multi-factor authentication and is restricted to authorized personnel only.

Regulatory Disclosure

GMB Billing Firm will disclose audit log data to the HHS Office for Civil Rights (OCR) or other regulatory authorities when required by law, subpoena, or valid regulatory request. In the event of a HIPAA investigation, audit logs serve as documentation of the PHI detection system's operation and user acknowledgments.

Section 6

Compliance Value & Liability Protection

The Medical Coding Audit Log serves as critical evidence in the event of a HIPAA investigation or OCR audit. Specifically, the audit log demonstrates:

§ That GMB Billing Firm implemented required technical safeguards (Audit Controls, 45 CFR §164.312(b))
§ That PHI warnings were displayed to users before any submission was processed
§ That user acknowledgment of de-identification was required and recorded
§ That code generation was blocked when PHI was detected and not removed
§ The specific events leading up to any PHI incident, establishing the Covered Entity's responsibility

Important — User Responsibility

The audit log will record any instance where a user overrides PHI warnings or bypasses the de-identification confirmation. These records establish that the user was informed of PHI detection and chose to proceed — shifting liability to the Covered Entity for any resulting HIPAA violation.

Section 7

Audit Log Requests & Contact

To request an audit log summary for your organization, report a potential PHI incident, or inquire about audit log policies, contact:

GMB Billing Firm Privacy & Compliance Office

📧 Privacy Inquiries: support@gmbcoding.com

📧 Legal & BAA: support@gmbcoding.com

🌐 Platform: gmbbillingfirm.com