In other words, the business partner becomes separately responsible for HIPAA compliance when your customers` RPS is in their custody. It`s like a chain that follows the IHP from the first link in the chain, the entity covered. The following link would be the business partner and all its subcontractors (including business partners) would be links that follow. Think of subcontractors as business partners of business partners. The BAA follows the direct path of the chain. Thus, a covered entity is not required to sign a BAA with the subcontractors of its business partners, but the business partner is. Contracts with business partners. The contract or other written agreement of a covered entity with its counterparty must contain the elements referred to in 45 CFR 164.504(e). For example, the contract must: describe the authorized and required use of the health information protected by the business partner; provide that the business partner does not use or disclose protected health information other than to the extent permitted or contractually prescribed or required by law; and request the business partner to take appropriate security precautions to prevent protected health information from being processed or otherwise contracted. If a Covered Entity becomes aware of a material breach or breach of the Agreement or Agreement by the Business Partner, the Covered Entity is required to take reasonable steps to remedy the breach or terminate the breach, and if such steps fail, to terminate the Agreement or Agreement. If termination of the contract or agreement is not possible, a covered entity must report the issue to the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS).