164.314(a)(1) - A covered entity is not in compliance with the standards in 164.502(e) [the HIPAA Privacy Rule - Disclosures to Business Associates standard] and paragraph (a) of this section [the Business Associate Contracts or Other Arrangements standard] if the covered entity knew of a pattern of an activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful – (A) Terminated the contract or arrangement, if feasible; or (B) If termination is not feasible, reported the problem to the Secretary.

164.314(b)(1) - Requires a group health plan to ensure that its plan documents require the plan sponsor to reasonably and appropriately safeguard EPHI that it creates, receives, maintains or transmits on behalf of the group health plan.