If a Business Associate discovers that protected health information (PHI) was improperly used or disclosed what are they obligated to do?

If a Business Associate discovers that protected health information (PHI) has been improperly used or disclosed, they are obligated to notify the covered entity (the healthcare provider or organization that provided the PHI) without unreasonable delay, and no later than 60 days after the discovery. They must provide details about the breach, including the nature of the information involved, the circumstances surrounding the breach, and any steps taken to mitigate the harm. Additionally, they should cooperate with the covered entity in addressing the breach and complying with any notification requirements.