Know who your BAs are, who your main contacts are, and ensure you have agreements and assurances from your BAs that they are securing your ePHI. Track security incidents for each BA so you can evaluate their performance over time.