Good write-up by Varonis discussing the finalized regulatory rules for HIPAA:
What has changed
With the finalized rules (which by the way run over 500 pages) not only do business associates come under HIPAA, but a new class of consultants and subcontractors who perform workon behalf of the business associates also have HIPAA obligations.
In effect, the final rules say that any company that has access to e-PHI is treated just like a hospital or HMO. By the way, HIPAA/HITECH’s Breach Notification Rule, which originally required health companies and their business associates to report e-PHI disclosures, is now extended to medical data subcontractors as well.
The ultimate intent is to close off any holes in security and enforcement when the business associates themselves outsource data processing to others.