Jump to content

Breach of Unsecured PHI


Recommended Posts

Under HIPAA, a business associate must notify a covered entity health plan no later than 60 days from the time it discovered a breach of unsecured protected health information.

If a business associate has, say, thousands of covered entity clients and discovers that only a few participants of only a few of the covered entity health plans are affected by a breach (and the business associate does not know which ones until later), when does that 60-day window start?

Does it start when it determines which specific covered entities are affected?

Or does it start when it discovered the breach (which would require that it notify all of its clients, most of which would ultimately be unaffected)?

I could not find any HHS guidance on point.  

Thanks.

Link to comment
Share on other sites

I read the rules to say that there's only a breach for a CE when the CE or BA knows, or should know by exercising reasonable diligence, that a breach of unsecured PHI occurred for individual's with that CE. 

Nonetheless, I think it would be difficult to argue that your CE breach notification timeline is different from others affected by the breach at the BA level.  You would have to feel confident that even a BA exercising reasonable diligence couldn't sort out whether the CE's specific participants were affected by the breach.  Seems like a tough sell to me.  I would always assume the 60-day outer limit is going to start running no later than the date the BA announces the breach.

This is also why it's so important in BAAs to have an outer deadline for notification to the CE that's well before the 60-day outer deadline.  The BA is generally acting as the agent for the CE, so the CE is treated as discovering the breach on the first day the BA knew (or should have known by exercising reasonable diligence) of the breach.  That can put the CE in a real bind if the BA takes up most of the time to notify the CE of the breach.

Here's an overview with cites that you might find helpful--

https://www.newfront.com/blog/hipaa-breach-notifications-for-employers

Where the breach occurs at a business associate, the business associate must notify the covered entity of the breach.  The covered entity is then responsible for satisfying the breach notification obligations described above, even though the breach occurred at one of its business associates.

Under the standard HIPAA rules, business associates must notify the covered entity of the breach without unreasonable delay, and in no event later than 60 calendar days following discovery of the breach (or, if earlier, when the breach would have been discovered by exercising reasonable diligence).  However, many BAAs include terms to provide a shorter outer limit (e.g., 15 calendar days) for the business associate to notify the covered entity of the breach to ensure that the covered entity has sufficient time to satisfy its breach notification obligations.  Where the business associate is acting as an agent of the covered entity, the covered entity’s 60-day outer notification limit applies based on the date the business associate discovers the breach—it is not based from the date the business associate notifies the covered entity.

...

45 CFR §164.404:

(a) Standard.

(1)  General rule. A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.

(2) Breaches treated as discovered. For purposes of paragraph (a)(1) of this section, §§164.406(a), and 164.408(a), a breach shall be treated as discovered by a covered entity as of the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity. A covered entity shall be deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity (determined in accordance with the federal common law of agency).

...

74 Fed. Reg. 42740, 42754 (Aug. 24, 2009):

https://www.federalregister.gov/documents/2009/08/24/E9-20169/breach-notification-for-unsecured-protected-health-information

If a business associate is acting as an agent of a covered entity, then, pursuant to § 164.404(a)(2), the business associate’s discovery of the breach will be imputed to the covered entity. Accordingly, in such circumstances, the covered entity must provide notifications under § 164.404(a) based on the time the business associate discovers the breach, not from the time the business associate notifies the covered entity. In contrast, if the business associate is an independent contractor of the covered entity (i.e., not an agent), then the covered entity must provide notification based on the time the business associate notifies the covered entity of the breach. As reflected in the comments we received in response to the timing of business associate notification to a covered entity following a breach, covered entities may wish to address the timing of the notification in their business associate contracts

78 Fed. Reg. 5565, 5581-5656 (Jan. 25, 2013):

https://www.federalregister.gov/documents/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules-under-the

An analysis of whether a business associate is an agent will be fact specific, taking into account the terms of a business associate agreement as well as the totality of the circumstances involved in the ongoing relationship between the parties. The essential factor in determining whether an agency relationship exists between a covered entity and its business associate (or business associate and its subcontractor) is the right or authority of a covered entity to control the business associate’s conduct in the course of performing a service on behalf of the covered entity. The right or authority to control the business associate’s conduct also is the essential factor in determining whether an agency relationship exists between a business associate and its business associate subcontractor. Accordingly, this guidance applies in the same manner to both covered entities (with regard to their business associates) and business associates (with regard to their subcontractors).

Because of the agency implications on the timing of breach notifications, we encourage covered entities to discuss and define in their business associate agreements the requirements regarding how, when, and to whom a business associate should notify the covered entity of a potential breach.

Link to comment
Share on other sites

Thanks for your thoughts. 

One thing, though:  Wouldn't a business associate typically be an independent contractor, not an agent?  If so, wouldn't this apply to when the covered entity's notification obligation starts?  "In contrast, if the business associate is an independent contractor of the covered entity (i.e., not an agent), then the covered entity must provide notification based on the time the business associate notifies the covered entity of the breach."

(I'll admit to being generally unfamiliar with the tenets of the "federal common law of agency," which is mentioned in the regs.)

Link to comment
Share on other sites

An agent can still be an independent contractor.  Clearly there's no employment relationship here between the CA and BA in the vast majority of situations.  So they will always be independent contractors.  But they'll also generally be agents.

Here's the main factor:

17 hours ago, Brian Gilmore said:

The essential factor in determining whether an agency relationship exists between a covered entity and its business associate (or business associate and its subcontractor) is the right or authority of a covered entity to control the business associate’s conduct in the course of performing a service on behalf of the covered entity.

I would assume in most cases the CE is going to direct the BA's conduct via the terms of their contractual arrangement for services and their general relationship with respect to the plan.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...