How should a covered entity respond to any HIPAA Privacy Rule violation of a health information organization (HIO) acting as its business associate?
The Privacy Rule establishes a series of steps a covered entity should take in response to any complaints or other evidence it receives that a HIO has violated its business associate agreement, which include the following:
- investigation of any complaint received, as well as of other information containing credible evidence of a violation;
- reasonable steps to cure/end any material breaches or violations it becomes aware of;
- termination of the agreement where attempts to cure a material breach are unsuccessful; and
- in the event termination of the agreement is not feasible, the report of violation(s) to the Secretary of HHS, through OCR. See 45 C.F.R. § 164.504(e).