• Text Resize A A A
  • Print Print
  • Share Share on facebook Share on twitter Share

How should a covered entity respond to any HIPAA Privacy Rule violation of a health information organization (HIO) acting as its business associate?

The Privacy Rule establishes a series of steps a covered entity should take in response to any complaints or other evidence it receives that a HIO has violated its business associate agreement, which include the following:

  • investigation of any complaint received, as well as of other information containing credible evidence of a violation;
  • reasonable steps to cure/end any material breaches or violations it becomes aware of;
  • termination of the agreement where attempts to cure a material breach are unsuccessful; and
  • in the event termination of the agreement is not feasible, the report of violation(s) to the Secretary of HHS, through OCR. See 45 C.F.R. § 164.504(e).


Created 12/15/08

Content created by Office for Civil Rights (OCR)
Content last reviewed on July 26, 2013