Large healthcare providers and payers have become increasingly concerned that they won’t be notified of a HIPAA breach by a vendor in a timely manner. And this can lead to fines and penalties for provider/payers even though it was their vendor that was breached. In all breaches, it is the organization with the direct relationship to the patient that bears the brunt of the associated reputational damage, and a delayed notification to the patient only exacerbates this damage.

As the flow of electronic protected health information (ePHI) becomes more complex, those with access to this data become further removed from the patient in question. The transfer of ePHI can bring significant benefit to the patient as well as the entire healthcare industry. However, it poses a challenge to promptly notify patients when their data is mishandled or involved in a security breach. As business arrangements are established among covered entities, business associates, and subcontractors, it is increasingly important to consider how the information about a breach or incident will be communicated to the patient.

To better your communications processes, here are four things you should be including into your business associate agreements or service level contracts to ensure timely and efficient notification:.

  1. Outline and define what ePHI can be disclosed by a business associate or subcontractor to report to a covered entity an unauthorized or unpermitted disclosure of ePHI.

  2. Indicate the time in which business associates or subcontractors have after discovery of a breach or incident to report the activity to a covered entity. States have been active in recent years in compressing the time for notification to the patient. Make sure you’re cognizant of your state requirements when determining how long business associates and subcontractors have to notify covered entities.

  3. Identify what information the business associate or subcontractor must provide to the covered entity when providing notification of a breach or incident. At a minimum, this should include:

    • Business associate/subcontractor point of contact;

    • Description of what happened, including the date of the incident and the date of discovery;

    • Description of the types of ePHI involved in the incident or breach; and

    • What the business associate/subcontractor is going to investigate, remediate, and prevent future incidents.

  4. Require staff to be trained in specifics on how to communicate and respond to security incidents and breaches involving ePHI.

These terms can be included either in a standalone business associate agreement or as part of a service level agreement. And both satisfy HIPAA requirements. While these are not all required in the specificity detailed here, doing so will serve your organization well. It is much easier to preemptively negotiate and agree on these terms rather than trying to do so in the face of a breach response.

Learn more:

HIPAA Incident vs. HIPAA Breach

Is a Ransomware Attack a HIPAA Breach?

A Plan For The Worst Case Scenario – What To Do If You Have A HIPAA Breach