* If a business associate engages a subcontractor to perform a function or service that involves use or disclosure of PHI, then the business associate is obligated to enter into a BAA with the subcontractor.
* If a breach of PHI occurs at the subcontractor tier, then the subcontractor must notify the business associate, which then must notify the covered entity. The covered entity must then notify the affected individuals, unless it has delegated such responsibilities to a business associate.
The maximum penalty for HIPAA noncompliance is $1.5 million per violation, so clients and cloud vendors have good reason to understand these latest modifications.
Sign up for Computerworld eNewsletters.