This blog series has been following the continuing flow of large security and privacy breaches of Protected Health Information (“PHI”) that has been reported on the U.S. Department of Health and Human Services (“HHS”) Web site. As required by HITECH, the HHS Web site posts a list (the “HHS List”) of reported large breaches of unsecured PHI affecting 500 or more individuals (“Large Breaches”). One area that has received relatively little attention from postings on the HHS List is the extent to which such Large Breaches are reported to be attributable to events involving business associates (“BAs”) of covered entities (“CEs”). 

The HITECH Act provides at Section 13402 (42 U.S.C. Section 17932) that, following a Large Breach of unsecured PHI, a CE must provide notification of the breach to affected individuals, the Secretary of HHS, and, in certain circumstances, to the media.  The HITECH Act imposed on a BA many of the obligations that only a CE previously had under the original HIPAA, unless the BA had specifically assumed such obligations contractually in an agreement with a CE. 

However, while Section 17932(b) of  HITECH requires a BA to notify the associated CE that a PHI breach has occurred, under HITECH, such a BA has no obligation or even authority for mandatory or voluntary reporting of a Large Breach directly to HHS. That is solely the obligation of the CE under HITECH Section 17932(e)(3).  Nonetheless, the form of "Notice to the Secretary of HHS of Breach of Unsecured Protected Health Information" to be filed by a CE calls for a disclosure by the CE of information about any breach that occurred at or by a BA.

The effect is that a BA has no effective voice, which has been authorized by HITECH or the interim HHS rules, to allow such BA to make a statement to HHS that could be posted on the HHS List to correct, amend, modify, supplement or even deny a CE report on the HHS List regarding such BA.

Of the 292 PHI breaches listed on the HHS List as of July 31, 2011, the following information has been reported regarding BAs:

  • Approximately 53 of the Large Breaches or 18% allegedly involved BAs of the reporting CEs.
  • Approximately 12 of the Large Breaches of reported Large Breaches allegedly involving BAs contained a narrative as to the Large Breach event.
  • Approximately 8 of the narratives stated that the CE had enforced its agreement with the allegedly involved BA and/or modified or terminated its relationship with such BA.

It is clear that a Large Breach can generate substantial costs, embarrassment and loss of reputation to a CE and an involved BA.  It is in the interest of both parties that prompt, accurate and complete notification of a Large Breach be made to the public and HHS.  Cooperative efforts that optimally should exist between the CE and an involved BA in remediating a Large Breach should also include drafting a mutually acceptable narrative, if such a narrative is to be included in the report to HHS. However, it may not be possible to have agreement on remediation itself or the description that will be reported by the CE to HHS and posted on the HHS List.  HHS should consider giving a BA an opportunity to report its own responsive version of a Large Breach event in a case where a CE attributes involvement to such BA.