HHS – April 2002
PHYSICIAN:  The privacy rule requires me to monitor the activities of my business associates.
Covered entities are not required to monitor or oversee the means by which the business associate carries out safeguards or the extent to which the business associate abides by the requirements of the contract.
FALSE !
FALSE!     Covered entities are not required to monitor or oversee the means by which the business associate carries out safeguards or the extent to which the business associate abides by the requirements of the contract.

If the covered entity becomes aware of an activity or practice of the business associate that constitutes a material breach or violation of the business associate’s obligations under its contract, the covered entity must take “reasonable steps” to cure the breach or to end the violation.  This depends on the actual knowledge of the covered entity; there is no obligation to monitor or investigate.

The required reasonable steps will vary with the circumstances and nature of the business relationship.  If such steps are not successful, the covered entity must terminate the contract, if feasible.  The rule also provides for circumstances in which termination is not feasible, for example, where there are no other viable business alternatives for the covered entity.  In such circumstances where termination is not feasible, the covered entity must report the problem to the Department.  Only if the covered entity fails to take the kinds of steps described above would it be considered to be out of compliance with the requirements of the rule.