Physician Practice

Q&A: You've got questions! We've got answers!

Physician Practice Insider, March 8, 2016

Submit your questions to Associate Editor Nicole Votta at and we will work with our experts to provide you with the information you need.

Q: When a covered entity (CE) audits a business associate's (BA) records, how should it handle records from a subcontractor (in this case, a medical clinic) that the BA shares data with? The subcontractor has other medical records (different payers') mixed in with ours. The subcontractor had the auditor sign a BAA. Was this necessary? Could a BAA prevent an auditor from performing an audit on them? Instead of having the auditor sign a BAA, should the subcontractor have asked them to sign a confidentiality agreement? Is there anything that needs to be done to protect the data and the auditor? If the subcontractor experiences a breach or other type of data incident outside of this audit, is there any risk to the auditor?

A: If the subcontractor is a clinic and a CE, it is appropriate to execute a BAA with your BA. On the other hand, if the subcontractor is a BA subcontractor of your BA, the BAA between your BA and your BA subcontractor would be sufficient unless your BA has access to PHI as part of the audit that is not associated with your organization. If the BA has access to other CEs' PHI as part of the audit, a BAA is needed because your BA would be providing access to other CEs' PHI as part of the audit. In the end, you should not be accessing other CEs' PHI, even as part of an audit, without the appropriate BAAs in place. That may violate the minimum necessary standard.

Editor’s note: Chris Apgar, CISSP, answered this question for HCPro’s Briefings on HIPAA newsletter. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Most Popular