When a business associate breaches a business associate agreement (BAA), it can have serious consequences for both the business associate and the covered entity. The BAA outlines breach notification processes and potential consequences, such as termination of the agreement, implementation of corrective action plans, and financial penalties. These measures help ensure that protected health information (PHI) remains secure and that both parties comply with HIPAA regulations.
What constitutes a breach of the BAA?
A breach occurs when a business associate fails to comply with the terms of the BAA, resulting in unauthorized access, use, or disclosure of PHI. Common breaches include:
- Failing to implement adequate security measures to protect PHI.
- Unauthorized sharing or access of PHI.
- Failing to report a data breach to the covered entity within the required timeframe.
- Not complying with breach notification protocols outlined in the BAA.
Examples of potential breaches
- Lost or stolen devices: A business associate loses a laptop containing unencrypted PHI.
- Improper disposal of records: Physical or electronic PHI is not properly disposed of, leading to unauthorized access.
- Unauthorized access: Employees access PHI without a valid business need.
Read also: What is the purpose of a business associate agreement?
Breach notification requirements
Under HIPAA, business associates are required to notify the covered entity of any breach of unsecured PHI. The BAA typically specifies:
- Timeframe for notification: Business associates must report the breach within a specific period, usually within 60 days of discovering the breach.
- Details of the breach: The notification should include a description of the breach, the types of PHI involved, and any steps taken to mitigate the damage.
- Assistance with breach response: Business associates may be required to assist the covered entity in responding to the breach, including notifying affected individuals and regulatory bodies if necessary.
Read more: What are the HIPAA breach notification requirements
Consequences of a breach
When a business associate breaches the BAA, several consequences can follow:
Termination of the agreement
The covered entity may terminate the BAA if the business associate fails to correct the breach or if the breach is deemed severe enough to warrant immediate termination. Termination can have financial and reputational impacts on the business associate.
Corrective action plans
In some cases, the covered entity may require the business associate to implement a corrective action plan to address the breach and prevent future incidents. This plan might include:
- Enhanced security measures.
- Employee training on HIPAA compliance.
- Regular audits to ensure compliance.
Financial penalties
HIPAA violations resulting from a BAA breach can result in financial penalties. The Department of Health and Human Services (HHS) can impose fines ranging from $100 to $50,000 per violation, depending on the severity of the breach and the level of negligence.
Reputational damage
A breach can harm a business associate's reputation, potentially leading to lost business opportunities and decreased trust from clients. Covered entities are unlikely to engage with a business associate with a history of non-compliance.
In the news
In 2010, a data breach involving Stanford Hospital & Clinics and its business associate, Multi-Specialty Collection Services LLC, exposed the PHI of 20,000 emergency room patients. The breach occurred when encrypted patient data, sent to the business associate, was later shared in an unencrypted spreadsheet with another business associate, Corcino & Associates, to create a graph. The second business associate then posted the data on a third-party student homework website, where it remained accessible for nearly 12 months. The exposed information included patient diagnoses, treatments, billing charges, and admission/discharge dates. One patient’s psychiatric diagnosis was also made public. The incident resulted in a class-action lawsuit under California’s Confidentiality of Medical Information Act (CMIA), leading to a $4.125 million settlement split among Stanford and its business associates. While Stanford was found to have taken appropriate security measures, the breach showed the risks of inadequate data handling by business associates.
How to prevent breaches
To avoid breaching a BAA, business associates should:
- Implement security measures: Use encryption, firewalls, and other security technologies to protect PHI.
- Train employees: Ensure all employees handling PHI are trained on HIPAA requirements and understand their responsibilities under the BAA.
- Conduct regular audits: Perform regular security and compliance audits to identify and address potential vulnerabilities.
- Follow breach notification protocols: Ensure that any breach is reported promptly and handled according to the terms of the BAA.
Related: Preventing HIPAA violations
FAQs
What should a business associate do after a breach?
After a breach, the business associate should notify the covered entity immediately, provide details of the breach, and take steps to mitigate any damage. They may also need to assist in notifying affected individuals and regulatory bodies.
Can a covered entity be held liable for a business associate's breach?
Yes, if the covered entity fails to ensure that a BAA is in place or does not take appropriate action to address the breach, it may also be held liable for HIPAA violations.
What happens if a business associate does not report a breach?
Failure to report a breach can result in increased penalties for the business associate. It may also lead to termination of the BAA and damage to the business relationship with the covered entity.
How can a business associate demonstrate compliance?
Business associates can demonstrate compliance by maintaining up-to-date security measures, conducting regular training and audits, and following all breach notification protocols outlined in the BAA.
See also: HIPAA Compliant Email: The Definitive Guide
Farah Amod
