Corporate Compliance

Q&A: Notification of compliance breach

Compliance Monitor, October 28, 2009

 Q: Is a business associate (BA) that discovers a breach ever responsible for notifying the individual(s) affected, media outlets, or HHS? Or does the BA only have to notify the covered entity (CE)?

 A: The CE has sole responsibility for notifying individuals when required. The CE must notify HHS immediately if a breach involves 500 or more individuals and/or at the end of the calendar year with respect to all breaches, regardless of whether the CE or the BA caused the breach.
 
A review of the breach notification interim final rule, which is final and was published in the Federal Register August 24, is a good idea. Visit www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html
 
Chris Apgar, CISSP, answered this question in the Octobert 2009 issue of the HCPro newsletter Briefings on HIPAA. For more information about this newsletter visit the HCMarketplace.

Most Popular