Is a covered entity liable for, or required to monitor, the actions of its business associates?

No. The HIPAA Privacy Rule requires covered entities to enter into written contracts or other arrangements with BAs which protect the privacy of PHI; but covered entities are not required to monitor or oversee the means by which their BAs carry out privacy safeguards or the extent to which the BA abides by the privacy requirements of the contract. Nor is the covered entity responsible or liable for the actions of its BAs. However, if a covered entity finds out about a material breach or violation of the contract by the BA, it must take reasonable steps to cure the breach or end the violation, and, if unsuccessful, terminate the contract with the BA. If termination is not feasible (e.g., where there are no other viable business alternatives for the covered entity), the covered entity must report the problem to the HHS/OCR. See 45 CFR 164.504(e)(1).