Who must ensure that business associates comply with HIPAA?

The correct response is that covered entities must ensure that business associates comply with HIPAA. Covered entities, which include health care providers, health plans, and healthcare clearinghouses that transmit health information in electronic form, have a responsibility to safeguard the privacy and security of protected health information (PHI).

Under HIPAA regulations, covered entities are required to have written contracts, known as Business Associate Agreements, with their business associates. These agreements outline the responsibilities of the business associates regarding the handling of PHI, ensuring that they implement appropriate safeguards and adhere to HIPAA privacy and security rules.

This direct accountability ensures that the protections associated with PHI extend beyond the covered entities themselves to the business associates that handle this sensitive information, particularly when they perform functions or services on behalf of the covered entities that involve the use or disclosure of PHI.