Access cannot be freely granted to data. Such is the reality of the world today. If a vendor is allowed to freely access, use or otherwise interact with data, unnecessary risk has been created. Why go down the risk-filled road, when issues can be identified and addressed?
This question is central for healthcare entities, whether covered entities contracting with business associates or business associates contracting with subcontractors. The direct liability all of the way up and down the chain of access now firmly entrenched in HIPAA means no entity on any level can escape notice.
