FAQ 539 How should a covered entity respond to any HIPAA Privacy Rule violation of a health information organization (HIO) acting as its business associate?
This is guidance on how should a covered entity respond to any HIPAA Privacy Rule violation of a health information organization (HIO) acting as its business associate?
Final
Issued by: Office for Civil Rights (OCR)
How should a covered entity respond to any HIPAA Privacy Rule violation of a health information organization (HIO) acting as its business associate?
The Privacy Rule establishes a series of steps a covered entity should take in response to any complaints or other evidence it receives that a HIO has violated its business associate agreement, which include the following:
- investigation of any complaint received, as well as of other information containing credible evidence of a violation;
- reasonable steps to cure/end any material breaches or violations it becomes aware of;
- termination of the agreement where attempts to cure a material breach are unsuccessful; and
- in the event termination of the agreement is not feasible, the report of violation(s) to the Secretary of HHS, through OCR. See 45 C.F.R. § 164.504(e).
Created 12/15/08
HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.
DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.