By Jason Silverstein, COO, PHIflow | November 2018
By definition, breach notification times are provisions within Business Associate Agreements (BAAs) that spell out the timeframes for acting once a breach is discovered. Heightened regulatory scrutiny coupled with growing concerns over the privacy and security of protected health information (PHI) has prioritized focus on the language contained in BAAs. Consequently, breach notification requirements are increasingly complex—and often more stringent than federal and state requirements.
Wouldn’t it be nice if all your BAAs had the same breach notification time?
Federally, HIPAA requires that impacted patients receive notification of a breach involving their data “without unreasonable delay but no later than 60 days” after the breach has been or should have been discovered. It’s a rational expectation that most Covered Entities (CEs) and Business Associates (BAs) should be able to follow. Some individual states require that patients are notified even sooner.
But CEs and BAs that exchange data throughout the care continuum often require that their customers, vendors and/or partners be notified of breaches within tighter time frames than mandated by federal or state laws. While those timeframes are detailed in the BAA, questions remain that could impact compliance. For example, if a breach is discovered at your organization, or if you are notified of a breach by one of your vendors or partners, do you know your breach notification times? Further:
There are many layers to BAAs, which make understanding breach notification times difficult.
While CEs contract with vendors and partners who have access to PHI, BAs must often contract with other vendors and partners who become “sub-BAs”. Unfortunately, due to the growing complexities of BAAs, breach notification time requirements by the CE often conflict with those of the sub-BAs—leaving the BA stuck in the middle.
For example, if a hospital’s BAA states that BAs need to notify it (as the CE) of a breach within two calendar days, how can the BA comply if its sub-BA has 20 calendar days to report a breach to the BA? Does the clock reset at every link in the chain? The answer may be yes federally, but what about state laws?
Further, it is common to see vaguely defined breach notification times, such as “as soon as possible,” “promptly,” or “without unreasonable delay.” This noncommittal approach to breach notification times leaves CEs and BAs guessing, which can result in compliance disasters.
Imagine these BAA-specific conundrums compounded by hundreds (or thousands) of BAAs, each with different breach notification times.
There is also the question of whether or not it’s logistically possible to comply with shorter notification times demanded by some CEs and BAs.
It’s not just the BAs who struggle with breach notification time compliance. CEs with patients in several states must manage multiple mandates and keep a wide variety of vendors and partners accountable for meeting contractual and regulatory timeframes. Other than paying exorbitant attorney fees for manual BAA review, how can CEs ensure that they fully understand the impact of changing regulations as it relates to notifying their patients across state lines? Further, how can CEs keep their vendors accountable?
However, there is good news. As seen in other areas of healthcare, automation and technological innovations can play a leading role in helping CEs and BAs navigate the murky waters of breach notification times. By ensuring any actions taken in the wake of a breach are aligned with the legal and contractual requirements, CEs and BAs that let technology do the heavy lifting can avoid hefty fines and damaged reputations.
PHIflow is a data and technology company combining artificial intelligence and legal expertise to help companies understand their HIPAA Business Associate Agreement (BAA) risks and requirements.
530 7th Avenue, M1, New York, NY 10018