The Privacy Rule establishes a series of steps a covered entity should take in response to any complaints or other evidence it receives that a HIO has violated its business associate agreement, which include the following:

  • investigation of any complaint received, as well as of other information containing credible evidence of a violation;
  • reasonable steps to cure/end any material breaches or violations it becomes aware of;
  • termination of the agreement where attempts to cure a material breach are unsuccessful; and
  • in the event termination of the agreement is not feasible, the report of violation(s) to the Secretary of HHS, through OCR. See 45 CFR ยง 164.504(e).