Business Associate Agreements
If you "google" business associate agreement, as I have done recently, you will get a mixed bag of results. You will see some samples of recent and not so recent agreements developed by covered entites in conjunction with their legal advisors, offers of templates for $19.99, training courses, and many opinions from various law firms and associations.
if the lawyer has been efficient they will cite various parts of the HIPAA HITECH Act that apply and then opine as to the applicability. Some will say that you need a new business associate agreement, some will say you should wait, but what they are starting to say is that a business associate agreement alone is not enough. Mostly they are giving advice to the covered entity since they are generally their clients, but they do cite the requirement for the business associate to meet the same standards as the covered entity and for the covered entity to advise the business associate to meet the standards.
The question is; Is that enough? Has the covered entity done enough to assure that their business associates are compliant? When there is a breach, and the question is not if, but when, will the auditors determine that there was "willful neglect" on the part of the covered entity? If they do the fines go up dramatically.
I believe that covered entities have a responsibility to help their business associates attain and maintain compliance and they need to be able to prove to an auditor that they had an active and agressive program in place to assure themselves that their business associates were compliant at all times. Anything short of this runs the risk of high fines when there is a breach.