There is yet another really informative post by Jeff Drummond of Jackson Walker. This one is about a CE’s responsibility to actively monitor a BA’s compliance. Jeff writes, in part:
Lexology today led me to this article by Adam Green’s crew at Davis Wright Tremaine. It turns out, there is specific language in the December 2000 Privacy Final Rule that removed a more active monitoring requirement in the proposed regs from 1999 (the regs I famously read on the beach in Destin, Florida in June of 2000). The 2000 Final Rule says, “In the final rule, we reduce the extent to which a covered entity must monitor the actions of its business associate and we make it easier for covered entities to identify the circumstances that will require them to take actions to correct a business associate’s material violation of the contract. . . . [T]his standard relieves the covered entity of the need to actively monitor its business associates. . . .”
Read more on HIPAA Blog.