Luckily, the answer to this question is a good one for covered entities. Business associates are liable for their own actions and every piece of protected information they are given. The important thing that covered entities need to be sure of is to properly enter into a contract that protects the privacy of protected information.
Monitoring or overseeing the work or actions of business associates is not required nor is it expected. Business associates are wholly responsible for complying with the privacy safety measures spelled out in the contract between the covered entity and the business associate.
The biggest concern a covered entity has when it comes to its business associates is acting upon the information or evidence that their business associates are not doing or complying with the contract. If a covered entity neglects to act on evidence found, or discovered, that indicates the business associates are not in compliance with the precautions in place in the contract, then the covered entity can be charged for neglect.
The actions that a covered entity is expected to take when a breach or violation is discovered are: take appropriate action to secure the breach or end the violation, if it is not possible to secure the breach or end the violation the entity is expected to terminate the contract.
There are several details that can’t be succinctly explained in a short summary, therefore, it is up to the covered entity to make sure they are operating within the policies of the HIPAA laws.