Do covered entities need to monitor their Business Associates?
No, the Privacy Rule requires covered entities to enter into written contracts or other arrangements with business associates to require the business associate to protect the privacy of protected health information; but covered entities are not required to monitor or oversee the means by which their business associates carry out privacy safeguards or the extent to which the business associate abides by the privacy requirements of the contract. However, if a covered entity finds out about a material violation of the contract, it must act to end the violation and, if unsuccessful, terminate the contract with the business associates. If termination is not feasible, the covered entity must report the problem to the Secretary of Health and Human Services. Further, the business associates, under the terms of the agreement, are required to report to the covered entity any violation of the terms of the agreement of which it becomes aware.
