October 14th, 2016
We have a Business Associate who has recently had a data breach. We think they are handling it but are we liable?
When a Business Associate has a data breach, one of their first immediate responsibilities is to contact the Covered Entity(ies) (your office) impacted. Upon doing so, the Covered Entity (you) and the Business Associate have the responsibility to determine how the breach is best and most efficiently mitigated.
This may include contacting patients whose information has been compromised, technical IT related corrections, procedural/training corrections/improvements, etc. In many cases, it may be necessary that both the Covered Entity and the Business Associate work together to mitigate the issue and handle necessary details together.
Additionally, your practice would have documented full detail of the breach incident upon being contacted by the Business Associate. This includes the date of the incident, details of what happened, when, how, who was involved, etc. This information enables you to best determine a corrective course of action.
You and your Business Associate must also document all action steps taken to correct the incident. Because you are the Covered Entity that is using the service of the Business Associate, you may be liable as well. You have a responsibility to your practice, your patients, and your Business Associate to take proactive steps to handle the current incident, document it accordingly, and of course, evaluate to minimize the risk of this incident occurring again.
Documented policies and procedures should be all updated accordingly. It would also be recommended for you to review your Business Associate Agreements and any other contractual documents you have with them as this information should spell out for you and for them, the responsibilities to protect the access, use, disclosure, integrity, and transfer of protected health information.
It should also provide guidance for the reporting of incidents and breaches, should one occur, as well as their own liability for non-compliance with policies and procedures. For extended information and training on this topic and other compliance related topics, please visit here.