"The Final Rule noted that a covered entity that is acting as a business associate (by, for instance, providing billing or other services to another covered entity) should respond to a breach as a business associate." . . . . .