The Privacy Rule establishes a series of steps a covered entity should take in response to any complaints or other evidence it receives that a HIO has violated its business associate agreement, which include the following:
investigation of any complaint received, as well as of other information containing credible evidence of a violation;
reasonable steps to cure/end any material breaches or violations it becomes aware of;
termination of the agreement where attempts to cure a material breach are unsuccessful; and
in the event termination of the agreement is not feasible, the report of violation(s) to the Secretary of HHS, through OCR. See 45 C.F.R. § 164.504(e).