One trend that I'm seeing in my practice representing healthcare information technology companies is an increased focus on applying the HIPAA Security Rule standards to vendors. Â A HIPAA business associate agreement is required to contain relatively sketchy representations regarding "reasonable and appropriate" vendor security measures. Â For application service providers and other vendors that maintain significant quantities of protected health information, some HIPAA covered entities are beginning to seek much more detailed security representations that amount to compliance with the Security Rule. Â For vendors, this sort of approach can seem burdensome and overly prescriptive. Â For HIPAA covered entities, the approach is intended to ensure that security protections are not diminished when data is in the hands of vendors. Â In any event, it is a negotiation that many healthcare technology companies are faced with ....
