As for crafting associate agreements, Curran enumerated some of the components he sees as must-have, such as, "incident response – how long does it take you to respond? How long does it take you to protect? How long does it take you to remediate? Those types of questions all go into the contract. A copy of the technical evaluation goes into the contract -– and let me tell you, they don't want to do that, because it holds them to what they say. It's very hard to get that in there, but you need to push to get it in there."

He added, "We put in our BAA that we want breach notification within 10 days of detection of a breach. Many (vendors) will come back and say, 'We'll let you know in 60.' I'll come back and say, 'I, as a covered entity, am responsible for that breach notification. It has to go out in 60 days. How am I supposed to do that? So, 10 days. Max I'll go is 15.' Most of them say OK."

Like Musso, Curran suggested that larger vendors might be better prepared for this brave new post-Omnibus world than the smaller companies who may balk at the new requirements – if they're aware of them at all.

Speaking of non-cloud business associates, Curran's "experience with vendors varies depending on the size," he said. "Some of the GE-and Epic- and McKesson-type vendors understand what their requirements are. But we have some companies that do transcription for our ambulatory offices. They have no clue as to what their roles and responsibilities are. You need to educate them."

You may well find that that requires "a lot of time," he said. "I was on the phone with one compliance officer for a total of eight hours trying to educate them about what their role was. It was obvious to me that they had no idea what HIPAA privacy and security was all about."

That sort of hand-holding may be an annoyance, but it must be done. After all, said Musso. "It's still your PHI. If it's the vendor you chose, and they fall short of complying with the language they agreed to in the BAA, even if they're the one doing the breach notification, it's your PHI, and it's your reputation."