HIPAA's Security Rule at §164.308 - Administrative safeguards starts with (a) "A covered entity or business associate must, in accordance with §164.306", and then continues to make various calls to "Implement policies and procedures" ...
Then, on the Privacy Rule, a BA is not directly required to comply with the Privacy Rule, except as specified within the Security Rule, but may be required to comply with those sections of the Privacy Rule that are specified in the contract or BAA (requirement) with its Covered Entity clients.
