When a business associate breaches a business associate agreement (BAA), it can have serious consequences for both the business associate and the covered entity. The BAA outlines breach notification processes and potential consequences, such as termination of the agreement, implementation of corrective action plans, and financial penalties. These measures help ensure that protected health information (PHI) remains secure and that both parties comply with HIPAA regulations.
A breach occurs when a business associate fails to comply with the terms of the BAA, resulting in unauthorized access, use, or disclosure of PHI. Common breaches include:
Read also: What is the purpose of a business associate agreement?
Under HIPAA, business associates are required to notify the covered entity of any breach of unsecured PHI. The BAA typically specifies:
Read more: What are the HIPAA breach notification requirements
When a business associate breaches the BAA, several consequences can follow:
The covered entity may terminate the BAA if the business associate fails to correct the breach or if the breach is deemed severe enough to warrant immediate termination. Termination can have financial and reputational impacts on the business associate.
In some cases, the covered entity may require the business associate to implement a corrective action plan to address the breach and prevent future incidents. This plan might include:
HIPAA violations resulting from a BAA breach can result in financial penalties. The Department of Health and Human Services (HHS) can impose fines ranging from $100 to $50,000 per violation, depending on the severity of the breach and the level of negligence.
A breach can harm a business associate's reputation, potentially leading to lost business opportunities and decreased trust from clients. Covered entities are unlikely to engage with a business associate with a history of non-compliance.
In 2010, a data breach involving Stanford Hospital & Clinics and its business associate, Multi-Specialty Collection Services LLC, exposed the PHI of 20,000 emergency room patients. The breach occurred when encrypted patient data, sent to the business associate, was later shared in an unencrypted spreadsheet with another business associate, Corcino & Associates, to create a graph. The second business associate then posted the data on a third-party student homework website, where it remained accessible for nearly 12 months. The exposed information included patient diagnoses, treatments, billing charges, and admission/discharge dates. One patient’s psychiatric diagnosis was also made public. The incident resulted in a class-action lawsuit under California’s Confidentiality of Medical Information Act (CMIA), leading to a $4.125 million settlement split among Stanford and its business associates. While Stanford was found to have taken appropriate security measures, the breach showed the risks of inadequate data handling by business associates.
To avoid breaching a BAA, business associates should:
Related: Preventing HIPAA violations
After a breach, the business associate should notify the covered entity immediately, provide details of the breach, and take steps to mitigate any damage. They may also need to assist in notifying affected individuals and regulatory bodies.
Yes, if the covered entity fails to ensure that a BAA is in place or does not take appropriate action to address the breach, it may also be held liable for HIPAA violations.
Failure to report a breach can result in increased penalties for the business associate. It may also lead to termination of the BAA and damage to the business relationship with the covered entity.
Business associates can demonstrate compliance by maintaining up-to-date security measures, conducting regular training and audits, and following all breach notification protocols outlined in the BAA.
See also: HIPAA Compliant Email: The Definitive Guide