HIPAA Privacy - Notification by a Business Associate 164.410

Overview:
§ 164.410
Notification by a Business Associate.
(a) Standard. (1) General Rule. A business associate shall, following the discovery of a breach of unsecured protected health information, notify the covered entity of such breach. (2) For purposes of paragraph (a)(1) of this section, a breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the federal common law of agency).
(b) Except as provided in § 164.412, a business associate shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.
(c)(1) The notification required by paragraph (a) of this section shall include, to the extent possible, the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach. (2) A business associate shall provide the covered entity with any other available information that the covered entity is required to include in notification to the individual under § 164.404(c) at the time of the notification required by paragraph (a) of this section or promptly thereafter as information becomes available.

Action Items:
1) Obtain copies of all the notification(s) sent by the business associate (or subcontractor) to the covered entity (or business associate for breaches by subcontractors) in the previous calendar year. For the first five notifications made by the business associate in the previous calendar year, obtain and evaluate documentation of the content and timeliness of the notifications made by the business associate or subcontractor. For example, review documentation of when the breach was discovered and what information was the subject of the breach. Determine whether the notifications contain the required content.

Related Documents:
1) Copies of all the notification(s) sent by the business associate (or subcontractor) to the covered entity (or business associate for breaches by subcontractors) in the previous calendar year.
2) Documentation of the content and timeliness of the notifications made by the business associate or subcontractor.

Additional Guidance:
If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any other available information required to be provided by the covered entity in its notification to affected individuals.