Making BAs into CEs: The sausage is still being made in Washington, DC, but it's looking like the so-called stimulus bill will increase at least some of the existing health information privacy requirements. According to this article, the House version of the bill contains provisions that will impose the same HIPAA privacy requirements that are already applicable to health plans, providers and clearinghouses ("Covered Entities" in HIPAA parlance) on their vendors and contractors ("Business Associates" under HIPAA).
Currently, HIPAA only applies to covered entities. If a company is a business associate of a covered entity, the CE is required by HIPAA to enter into a "business associate agreement" with the BA. The BAA pushes down the HIPAA privacy requirements by contract, rather than by law, onto the BA, but the BA isn't directly obligated under HIPAA. Basically, the BAA must contractually obligate the BA to treat the health information as safely and privately as the CE does. But while the BA then must provide privacy protections, it is not required to take all of the administrative steps HIPAA imposes on CEs.
It looks like that may change, adding administrative costs to vendors in the healthcare business.