Hello again, this question was posed to us this past week by one of our clients.
Do Business Associates need to report a breach to HHS or should it be reported to the covered entity, and the covered entity report to HHS?
This is a great question, and I’m going to expand this question to cover Subcontractors, too. Who am I to walk away from a teaching moment?
Since the Omnibus ruling went into affect on September 23, 2013, Business Associates and Subcontractors are now fully regulated by HHS – just like covered entities. They are now required to report breaches over 500 people directly to HHS. You must notify HHS without delay, but no later than 60 days from the date of discovery. Now all breaches must be filed electronically, at http://ocrnotifications.hhs.gov/
The BA should inform the covered entity of the breach, and coordinate the client notification process. Clients need to be notified no matter how many records are breached. As embarrassing as this can be, it is important that you are upfront and honest with everyone. The covered entity does not want to find out on the evening news or in an Internet story that a subcontractor released their client’s information.
Health insurance agents may have contractual commitments to report this breach to the carrier. Some carriers will provide guidance in the event of a breach, and will assist the Business Associate or Subcontractor in the breach compliance process.
Here is a little chart that helps you follow the flow of information. As you can see, information is going to be going downstream. Everyone downstream has responsibilities to everyone that is upstream.
This means that your Subcontractor’s breach will not only adversely effect you, but also your covered entity, and their clients. This is why reviewing Security and Privacy Policies and Procedures of any Subcontractors with whom you are going to be doing business is so important!
What happens if you have a breach of fewer than 500 people?
A breach of fewer than 500 people must be logged and reported on the HHS website at the same address above within 60 days of the end of the calendar year.
In the end, the Business Associate who is responsible for the breach must make sure the breach is properly reported to HHS, that the required notification of clients occurs, all fines are paid, and serve time if the breach is determined to be a felony. All Business Associates need to know the law and the correct steps to follow if there is a HIPAA breach.
Remember, your job in any breach is protecting your clients, their clients, and triaging the breach. Dealing with a breach honestly and openly is the only way to deal with this unfortunate situation and, ultimately, salvaging and repairing your reputation.
Stay HIPAA Compliant my friends!