HIPAA: Are You Prepared for a Business Associate Breach?

Business associate breaches can be the most costly type of breach and present some of the highest risk because you don't have insight or control over the business associate's security or policies.

An up-to-date business associate agreement doesn't mean you don't have to meet the requirements of the federal HIPAA Breach Notification Rule if the business associate causes a breach. Even if the business associate doesn't have the resources to pay for the patient notification and other costs, you are still required to meet those requirements. Business associate breaches can happen any time, such as the recent breach at the cloud-based electronic health record (EHR) NoMoreClipboard, which affected more than 200 covered entities. If you don't use a cloud-based EHR or practice management system, you may still be at risk if your billing or transcription vendors store your patients' data on their systems.

The average cost of a health care data breach per record is $398, according to a 2015 Pomemon Institute study. The cost in health care is primarily due to loss of business — patients switching physicians or providers after a data breach. 

What happens if a business associate causes a breach?

Even though a breach is caused by a business associate, under the federal HIPAA Breach Notification Rule, as the covered entity, it is still your breach, and your responsibilities include, but aren't limited to:

  • Reporting the breach to the U.S. Department of Health and Human Services,
  • Notifying the affected individuals by first-class mail,
  • Notifying the media (if more than 500 individuals are affected), and
  • Providing information to affected individuals who have questions about the breach.

Under Texas law, the business associate may be responsible for reporting and patient notification; however, that does not remove your responsibility as the covered entity under federal HIPAA regulations.

What can you do to lower your risk?

In addition to maintaining up-to-date business associates agreements, you may want to include the following in your HIPAA security compliance program for all business associates that store, access, or transmit your patients' protected health information:

  • Incident response plan for business associate breaches including up-to-date contact information for all current business associates;
  • Third-party (business associate) breaches identified as a threat in your most recent risk analysis;
  • Review of business associates' legal entity and place of incorporation (domestic or foreign company) identified as a safeguard in your compliance plan;
  • Review of business associates' security policies identified as a safeguard;
  • Review of business associates' financial resources and/or breach insurance coverage identified as a safeguard;
  • Policies that specify safeguards are to be implemented including review of business associates agreements, security policies, and financial resources and/or breach insurance coverage;
  • Documentation that your policies have been implemented, including up-to-date agreements and attestations of security policies and financial resources/breach coverage; and
  • Documentation that your policies are followed after implementation, including regular renewals of business associate security and financial attestations.

Also be sure to visit TMA’s HIPAA Resource Center for more resources, including continuing medical education courses. 

Published Sept. 9, 2015

TMA Practice E-Tips main page

Last Updated On

May 30, 2019

Related Content

HIPAA | Risk Management