Question: When the phase 2 HIPAA audits move to business associates (BAs), does our medical practice as the covered entity (CE) have an obligation to perform a “pre-audit” on whether our BAs are in compliance with HIPAA? What happens if one of our BAs has a HIPAA audit that doesn’t go well — will this affect our practice?
Answer: Strictly speaking, under the Health Information Technology for Economic and Clinical Health Act (HITECH), a CE is not responsible for its BA’s compliance, says attorney Neal F. Eggeson, JD of Eggeson Appellate Services in Indianapolis. So if your BA fails a Phase 2 HIPAA audit, this shouldn’t affect your own audit performance.
Caveat: But if your medical practice becomes aware of a deficiency in its BA’s compliance with the Privacy Rule, you must take steps to correct or mitigate that risk, Eggeson notes. “Consequently, medical practices are well within their rights to demand broader assurances from their [BAs] — including periodic review/audit of their BA’s compliance.” And if your medical practice has already been doing this, then a pre-audit should not be necessary.