Q&A: You've got questions! We've got answers!
Physician Practice Insider, March 8, 2016
Submit your questions to Associate Editor Nicole Votta at nvotta@hcpro.com and we will work with our experts to provide you with the information you need.
Q: When a covered entity (CE) audits a business associate's (BA) records, how should it handle records from a subcontractor (in this case, a medical clinic) that the BA shares data with? The subcontractor has other medical records (different payers') mixed in with ours. The subcontractor had the auditor sign a BAA. Was this necessary? Could a BAA prevent an auditor from performing an audit on them? Instead of having the auditor sign a BAA, should the subcontractor have asked them to sign a confidentiality agreement? Is there anything that needs to be done to protect the data and the auditor? If the subcontractor experiences a breach or other type of data incident outside of this audit, is there any risk to the auditor?
A: If the subcontractor is a clinic and a CE, it is appropriate to execute a BAA with your BA. On the other hand, if the subcontractor is a BA subcontractor of your BA, the BAA between your BA and your BA subcontractor would be sufficient unless your BA has access to PHI as part of the audit that is not associated with your organization. If the BA has access to other CEs' PHI as part of the audit, a BAA is needed because your BA would be providing access to other CEs' PHI as part of the audit. In the end, you should not be accessing other CEs' PHI, even as part of an audit, without the appropriate BAAs in place. That may violate the minimum necessary standard.
Editor’s note: Chris Apgar, CISSP, answered this question for HCPro’s Briefings on HIPAA newsletter. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.
Related Products
Most Popular
- Articles
-
- Don't forget the three checks in medication administration
- Five ways to safeguard your patients' valuables
- Note similarities and differences between HCPCS, CPT® codes
- Q&A: Primary, principal, and secondary diagnoses
- The consequences of an incomplete medical record
- Nursing responsibilities for managing pain
- Reimbursement for Facility and Professional Services in a Provider-Based Department by Gina M. Reese, Esq., RN
- Skills of effective case managers
- OB services: Coding inside and outside of the package
- Practice the six rights of medication administration
- E-mailed
-
- Plan of Care Supports Documentation of Homebound Status
- Q/A: Coding infusions to correct low potassium levels
- Note from the instructor: CMS clarifies billing guidelines on proper billing for drugs in a single-dose or single-use vial, including billing for discarded drugs
- Neurological checks for head injuries
- Modifiers and medical necessity
- HIPAA Q&A: Cameras in patient rooms
- Follow these tips to properly report bladder catheter codes
- Examine cardboard boxes stored on floor to avoid infection control, life safety citations
- Differentiate between types of wound debridement
- Consider two options for coding Rho(D) immune globulin given in pregnancy
- Searched