New rules for business associates.
As of September 23, 2014, business associates of health companies became directly responsible for their own HIPAA compliance. But, healthcare companies themselves would be well advised to make sure any third party they deal with is compliant.
Vendor rules can affect more aspects of your business than might meet the eye. For example; if you contract a food vendor and they are working with your dietician on a patient’s food plan, the food vendor may be privy to a patient’s health information based on the patient’s menus. Hence you would want to make sure the food vendor is HIPAA compliant. If a business associate violates HIPAA, you are responsible for seeing that they correct the violation and if they do not you must stop doing business with them.
Business associates are also responsible for making sure that their subcontractors are compliant with HIPPA regulations. The subcontractors themselves may not be subject to HIPAA regulations, so you may want to ask your business associates how they select and train their subcontractors.