Breach Notification Checklist: When BAs Are Responsible, CE Prep Counts

By Jane Anderson

Covered entities (CEs) working with business associates (BAs) and BAs working with subcontractors BAs need to carefully establish who is responsible for specific aspects of breach response before a breach occurs to ensure all goes smoothly in the event of a security incident.

That’s the word from three experts on BA agreements (BAAs) and breach response who spoke recently at a national meeting.[1]

“I think it’s important just holistically, when you’re engaging in these relationships, to think long-term in terms of what obligations go with who,” said John Haskell, HIPAA privacy officer at Medline Industries, and a former investigator for the HHS Office for Civil Rights, in offering a checklist for CEs and BAs to follow to make a breach response as effective as possible.

  • Carefully evaluate provisions relating to breach response and attempt to standardize provisions. Mark Fox, privacy and research compliance officer for the American College of Cardiology Foundation, told conference attendees that the time frame of breach notification is one of the most frequently negotiated items in a BAA, “and that is often complicated by state law as well,” which in some cases has a shorter time frame than HIPAA. “So, from our perspective, when we’re negotiating, we try to set up our response and our contractual provisions to be consistent with the most stringent timeframe—I believe currently the two states that have the most stringent timeframes are California and Florida.”

Thora Johnson, partner and chair of the health care practice at Orrick Herrington & Sutcliffe LLP, in Washington, D.C., agreed that, if possible, organizations should standardize their BAAs’ breach notification provisions. However, this obviously may be difficult since “every covered entity wants to have their standard form, and every business associate is going to want to have their standard form,” Johnson said. “So, there’s often some negotiation as to whose form are you using, depending on relative negotiation strength. But to the extent that you can have a streamlined approach, you’ll know that you need to provide notice in X days, say, of a breach, and the simpler your response will be as a business associate.”

A BA working as a subcontractor to another BA will be stuck with whatever timeline already exists in the original BAA since “those obligations are passed down,” Haskell pointed out. “So, if they say, ‘We have a 12-hour timeline notification,’ we have to either take it or leave it.”

  • Know where your BAAs are located, and keep in mind that the breach response provision is what you rely on for defining roles and responsibilities during a response. “One of the challenges you have with business associate agreements is significant variation relating to the terms and conditions regarding a breach response. And because many of us maintain thousands of these, it’s also making sure that you’re readily able to identify where your business associate agreements are and understand that variation,” Fox said.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings