Do you know your Breach Notification Times?
Hint: they’re specified in your BAAs!
By definition, breach notification times are provisions within Business Associate Agreements (BAAs) that spell out the timeframes for acting once a breach is discovered. Heightened regulatory scrutiny coupled with growing concerns over the privacy and security of protected health information (PHI) has prioritized focus on the language contained in BAAs. Consequently, breach notification requirements are increasingly complex—and often more stringent than federal and state requirements.
Wouldn’t it be nice if all your BAAs had the same breach notification time?
Federally, HIPAA requires that impacted patients receive notification of a breach involving their data “without unreasonable delay but no later than 60 days” after the breach has been or should have been discovered. It’s a rational expectation that most Covered Entities (CEs) and Business Associates (BAs) should be able to follow. Some individual states require that patients are notified even sooner.
But CEs and BAs that exchange data throughout the care continuum often require that their customers, vendors and/or partners be notified of breaches within tighter time frames than mandated by federal or state laws. While those timeframes are detailed in the BAA, questions remain that could impact compliance. For example, if a breach is discovered at your organization, or if you are notified of a breach by one of your vendors or partners, do you know your breach notification times? Further:
- If your organization is a CE, does your patient population encompass multiple states? Do you know what the breach notification times are for each state?
- If your organization is a BA, is the breach notification time the same for all your clients and vendors?
- If your organization is a hybrid, acting as a CE in some instances and a BA in others, which breach notification timeframes apply to you?
There are many layers to BAAs, which make understanding breach notification times difficult.
While CEs contract with vendors and partners who have access to PHI, BAs must often contract with other vendors and partners who become “sub-BAs”. Unfortunately, due to the growing complexities of BAAs, breach notification time requirements by the CE often conflict with those of the sub-BAs—leaving the BA stuck in the middle.
For example, if a hospital’s BAA states that BAs need to notify it (as the CE) of a breach within two calendar days, how can the BA comply if its sub-BA has 20 calendar days to report a breach to the BA? Does the clock reset at every link in the chain? The answer may be yes federally, but what about state laws?
Further, it is common to see vaguely defined breach notification times, such as “as soon as possible,” “promptly,” or “without unreasonable delay.” This noncommittal approach to breach notification times leaves CEs and BAs guessing, which can result in compliance disasters.
Imagine these BAA-specific conundrums compounded by hundreds (or thousands) of BAAs, each with different breach notification times.
There is also the question of whether or not it’s logistically possible to comply with shorter notification times demanded by some CEs and BAs.
It’s not just the BAs who struggle with breach notification time compliance. CEs with patients in several states must manage multiple mandates and keep a wide variety of vendors and partners accountable for meeting contractual and regulatory timeframes. Other than paying exorbitant attorney fees for manual BAA review, how can CEs ensure that they fully understand the impact of changing regulations as it relates to notifying their patients across state lines? Further, how can CEs keep their vendors accountable?
However, there is good news. As seen in other areas of healthcare, automation and technological innovations can play a leading role in helping CEs and BAs navigate the murky waters of breach notification times. By ensuring any actions taken in the wake of a breach are aligned with the legal and contractual requirements, CEs and BAs that let technology do the heavy lifting can avoid hefty fines and damaged reputations.