Anesthesia Coding Alert

Reader Question:

Follow This Advice With BAs for Phase 2 HIPAA Audits

Question: When the Phase 2 HIPAA audits move to business associates (BAs), does our medical practice as the covered entity (CE) have an obligation to perform a “pre-audit” on whether our BAs are in compliance with HIPAA? What happens if one of our BAs has a HIPAA audit that doesn’t go well — will this affect our practice?

Indiana Subscriber

Answer: Strictly speaking, under the Health Information Technology for Economic and Clinical Health Act (HITECH), a CE is not responsible for its BA’s compliance, says attorney Neal F. Eggeson, JD of Eggeson Appellate Services in Indianapolis. So if your BA fails a Phase 2 HIPAA audit, this shouldn’t affect your own audit performance.

Caveat: But if your medical practice becomes aware of a deficiency in its BA’s compliance with the Privacy Rule, you must take steps to correct or mitigate that risk, Eggeson notes. “Consequently, medical practices are well within their rights to demand broader assurances from their [BAs] — including periodic review/audit of their BA’s compliance.” And if your medical practice has already been doing this, then a pre-audit should not be necessary.


Other Articles in this issue of

Anesthesia Coding Alert

View All

Which Codify by AAPC tool is right for you?

Call 844-334-2816 to speak with a Codify by AAPC specialist now.