Here’s a quick rhetorical poll:

1) Are you a healthcare services company?

2) Do you have a computer? Like, many computers?

3) Do you like rules?

According to a piece on, “A change to the federal HIPAA rule adds security requirements for health care software developers and data backup services, classified as “business associates.” What will this mean for you? It means you’re now not just responsible for you own house, you’re responsible for your business partners as well. Passing the buck may soon become a quaint phrase no one uses.

“Business associates now must meet the privacy and security rules of HIPAA just like doctors, hospitals and health insurance providers,” Brian T. Horowitz writes. Among those under this wider tent are:

  • Companies that produce electronic health record (EHR) software
  • Companies that offer billing and transcription applications
  • Companies that host data in the cloud or provide backup services

All will be responsible for health information leaks.

Doug Pollack, chief marketing officer for ID Experts, thinks it’s going to take several providers failing to read the writing on the wall and falling afoul of these new rules to wake the whole industry up: “The majority of business associates now are probably not meeting the letter of the law in terms of their security obligations. There will be breaches, and you’re going to see substantial monetary penalties applied to business associates for not being rigorous about meeting their security obligations.”

The final rule takes effect on March 26, and covered entities such as health insurance organizations and business associates like IT companies must comply by Sept. 23.