Corporate Compliance

Q&A: Notification of compliance breach

Compliance Monitor, October 28, 2009

 Q: Is a business associate (BA) that discovers a breach ever responsible for notifying the individual(s) affected, media outlets, or HHS? Or does the BA only have to notify the covered entity (CE)?

 A: The CE has sole responsibility for notifying individuals when required. The CE must notify HHS immediately if a breach involves 500 or more individuals and/or at the end of the calendar year with respect to all breaches, regardless of whether the CE or the BA caused the breach.
A review of the breach notification interim final rule, which is final and was published in the Federal Register August 24, is a good idea. Visit
Chris Apgar, CISSP, answered this question in the Octobert 2009 issue of the HCPro newsletter Briefings on HIPAA. For more information about this newsletter visit the HCMarketplace.

Most Popular