Recent statements at the 27th National HIPAA Summit suggest that the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) may be changing its position and expecting a greater level of vendor due diligence under HIPAA.

Although surprising to many, the HIPAA regulations do not specifically require vendor due diligence or monitoring. Rather, HIPAA requires a business associate agreement (BAA) and that the covered entity take action upon learning of a business associate’s pattern of activity or practice in breach of the BAA. The same is true with respect to the relation between business associates and their subcontractors.

Read the full analysis here.