Just some notes from a discussion on HIPAA and HITECH compliance.
HIPAA is about having policies in place to protect patient info - all patient info (paper and digital).
HITECH is an add-on law that imposes heavy penalties and fines for non-compliance and security breaches. HITECH went into effect in 9/13. The federal agency OCR does compliance audits of covered entities.
Even with faxes and paper files, healthcare covered entities must treat the paper with written and trained policies and procedures to protect against a breach. If I walk out with a fax that contains a patient's blood test, that doctor is liable for fines. (Not all doctors get this).
There is always an unsecure endpoint (especially the smartphone). Voicemail, faxes, email - all have ePHI stored somewhere insecurely. The Business Associate assumes some responsibilities for the security of the data via a BAA. The BAA spells out the duties of each party.
Some possible vendors:
Microsoft only gives a BAA for MS Office365 and Hyper-V and only with volume licensing.