Skip to main content
U.S. flag

An official website of the United States government

Return to Search

FAQ 539 How should a covered entity respond to any HIPAA Privacy Rule violation of a health information organization (HIO) acting as its business associate?

This is guidance on how should a covered entity respond to any HIPAA Privacy Rule violation of a health information organization (HIO) acting as its business associate?

Final

Issued by: Office for Civil Rights (OCR)

How should a covered entity respond to any HIPAA Privacy Rule violation of a health information organization (HIO) acting as its business associate?

The Privacy Rule establishes a series of steps a covered entity should take in response to any complaints or other evidence it receives that a HIO has violated its business associate agreement, which include the following:

  • investigation of any complaint received, as well as of other information containing credible evidence of a violation;
  • reasonable steps to cure/end any material breaches or violations it becomes aware of;
  • termination of the agreement where attempts to cure a material breach are unsuccessful; and
  • in the event termination of the agreement is not feasible, the report of violation(s) to the Secretary of HHS, through OCR. See 45 C.F.R. § 164.504(e).

 

Created 12/15/08


Content created by Office for Civil Rights (OCR)
Content last reviewed on July 26, 2013

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.