1. Upon termination of a business associate or employee, a healthcare organization must take 5 steps to protect protected health information (PHI) and electronic PHI (EPHI) according to HIPAA guidelines. These steps include ensuring all PHI and EPHI is returned or destroyed, completing a risk assessment of any PHI or EPHI that cannot be returned or destroyed, implementing safeguards for any retained PHI and EPHI, documenting completion of the termination requirements, and reporting any breaches or improper uses of PHI and EPHI that occur during or after termination.