Q/A: Are You Liable When a Business Associate Has a Data Breach?

by  ChiroCode
October 14th, 2016


We have a Business Associate who has recently had a data breach. We think they are handling it but are we liable?


When a Business Associate has a data breach, one of their first immediate responsibilities is to contact the Covered Entity(ies) (your office) impacted. Upon doing so, the Covered Entity (you) and the Business Associate have the responsibility to determine how the breach is best and most efficiently mitigated.

This may include contacting patients whose information has been compromised, technical IT related corrections, procedural/training corrections/improvements, etc. In many cases, it may be necessary that both the Covered Entity and the Business Associate work together to mitigate the issue and handle necessary details together.

Additionally, your practice would have documented full detail of the breach incident upon being contacted by the Business Associate. This includes the date of the incident, details of what happened, when, how, who was involved, etc. This information enables you to best determine a corrective course of action.

You and your Business Associate must also document all action steps taken to correct the incident. Because you are the Covered Entity that is using the service of the Business Associate, you may be liable as well. You have a responsibility to your practice, your patients, and your Business Associate to take proactive steps to handle the current incident, document it accordingly, and of course, evaluate to minimize the risk of this incident occurring again.

Documented policies and procedures should be all updated accordingly. It would also be recommended for you to review your Business Associate Agreements and any other contractual documents you have with them as this information should spell out for you and for them, the responsibilities to protect the access, use, disclosure, integrity, and transfer of protected health information.

It should also provide guidance for the reporting of incidents and breaches, should one occur, as well as their own liability for non-compliance with policies and procedures. For extended information and training on this topic and other compliance related topics, please visit here.

Q/A: Are You Liable When a Business Associate Has a Data Breach?. (2016, October 14). Find-A-Code Articles. Retrieved from https://www.findacode.com/articles/are-you-liable-when-a-business-associate-has-a-data-breach-34796.html

© InnoviHealth Systems Inc

Article Tags  (click on a tag to see related articles)

Publish this Article on your Website, Blog or Newsletter

This article is available for publishing on websites, blogs, and newsletters. The article must be published in its entirety - all links must be active. If you would like to publish this article, please contact us and let us know where you will be publishing it. The easiest way to get the text of the article is to highlight and copy. Or use your browser's "View Source" option to capture the HTML formatted code.

If you would like a specific article written on a medical coding and billing topic, please Contact Us.


innoviHealth Systems, Inc.
62 East 300 North
Spanish Fork, UT 84660
Phone: 801-770-4203 (8-5 Mountain)
free demo
request yours today
free subscription
for any budget

Thank you for choosing Find-A-Code, please Sign In to remove ads.