HITECH happened in April of 2009, and we are now approaching its third anniversary and still haven’t seen many of its provisions enacted through rules yet. However, many of those provisions are included in the Omnibus Rule that revises the HIPAA security rule. One of its elements is new requirements for business associates.

HITECH expanded HIPAA’s reach to those who do business with covered entities involving access to protected health information, but no enforcement is expected until the final rules are released. This of course represents a huge gap in HIPAA enforcement and as we have seen from just the large breaches reported a serious risk. Business associates account for somewhere around 30% of the total number of breaches reported, but nearly 75% of the records potentially exposed. Even the OCR audits are not expected to address the business associate community.

We talk about taking a risk based approach to data security, addressing the biggest risks first. Business associates represent a far greater aggregation of patient information than most health care providers, yet it has taken more than two years for us to define our expectations of them, we still haven’t published those requirements yet, and its other covered entities who are still receiving all the attention.