HIPAA Regulations: Notification in the Case of Breach -- Notification By Business Associates - § 164.410
As Contained in the HHS Rules on Notification in the Case of Breach of Unsecured Protected Health Information
HHS Regulations as Amended January 2013 |
(a) Standard—(1) General rule. A business associate shall, following the discovery of a breach of unsecured protected health information, notify the covered entity of such breach.
(2) Breaches treated as discovered. For purposes of paragraph (a)(1) of this section, a breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the Federal common law of agency).
(b) Implementation specifications: Timeliness of notification. Except as provided in §164.412, a business associate shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.
(c) Implementation specifications: Content of notification. (1) The notification required by paragraph (a) of this section shall include, to the extent possible, the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach.
(2) A business associate shall provide the covered entity with any other available information that the covered entity is required to include in notification to the individual under §164.404(c) at the time of the notification required by paragraph (a) of this section or promptly thereafter as information becomes available.
HHS Description and Commentary From the January 2013 Amendments Notification in the Case of Breach: Notification By Business Associates |
Interim Final Rule
Section 13402(b) of the HITECH Act requires a business associate of a covered entity that accesses, maintains, retains, modifies, records, destroys, or otherwise holds, uses, or discloses unsecured protected health information to notify the covered entity when it discovers a breach of such information. The Act requires business associates to provide such notification to covered entities without unreasonable delay and in no case later than 60 days from discovery of the breach. Additionally, the Act requires business associates to provide covered entities with the identity of each individual whose unsecured protected health information has, or is reasonably believed to have been, affected by the breach. Section 164.410(a) implements section 13402(b) of the Act.
A business associate is required to notify the covered entity of the breach of unsecured protected health information so that the covered entity can notify affected individuals. In the interim final rule, we clarified that a business associate that maintains the protected health information of multiple covered entities need notify only the covered entity(s) to which the breached information relates. However, in cases in which a breach involves the unsecured protected health information of multiple covered entities and it is unclear to whom the breached information relates, it may be necessary to notify all potentially affected covered entities.
Section 164.410(a)(2) provides that a breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. As with a covered entity, a business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the Federal common law of agency). Similarly, as with knowledge imputed to covered entities, the Federal common law of agency controls in determining who is an agent of the business associate.
Section 164.410(b) requires that a business associate provide notice of a breach of unsecured protected health information to a covered entity without unreasonable delay and in no case later than 60 days following the discovery of a breach. With respect to timing, if a business associate is acting as an agent of a covered entity, then, pursuant to § 164.404(a)(2), the business associate’s discovery of the breach will be imputed to the covered entity. In such circumstances, the covered entity must provide notifications under §164.404(a) based on the time the business associate discovers the breach, not from the time the business associate notifies the covered entity. In contrast, if the business associate is not an agent of the covered entity, then the covered entity is required to provide notification based on the time the business associate notifies the covered entity of the breach. We encouraged covered entities and business associates to address the timing of this notification in their business associate contracts.
Section 164.410(c)(1) requires business associates, to the extent possible, to provide covered entities with the identity of each individual whose unsecured protected health information has been, or is reasonably believed to have been, breached. Depending on the circumstances, business associates could provide the covered entity with immediate notification of the breach and then follow up with the required information in § 164.410(c) when available but without unreasonable delay and within 60 days.
Section 164.410(c)(1) requires business associates to provide this information “to the extent possible,” recognizing that there may be situations in which a business associate may be unaware of the identification of the individuals whose unsecured protected health information was breached. For example, a business associate that is a record storage company that holds hundreds of boxes of paper medical records on behalf of a covered entity may be unaware of the names of the individuals whose records are stored. Thus, if the business associate discovers that several boxes are missing, it may be unable to provide the covered entity with a list of the individuals whose information has been breached. In such circumstances, it is not our intent that the business associate delay notification of the breach to the covered entity, when the covered entity may be better able to identify the individuals affected.
Depending on the circumstances surrounding a breach of unsecured protected health information, a business associate may be in the best position to gather the information the covered entity is required by § 164.404(c) to include in the notification to the individual about the breach. Therefore, in addition to the identification of affected individuals, § 164.410(c)(2) requires a business associate to provide the covered entity with any other available information that the covered entity is required to include in the notification to the individual under § 164.404(c), either at the time it provides notice to the covered entity of the breach or promptly thereafter as information becomes available.
Because we allow this information to be provided to a covered entity after the initial notification of the breach as it becomes available, a business associate should not delay the initial notification to the covered entity of the breach in order to collect information needed for the notification to the individual. To ensure the covered entity is aware of all the available facts surrounding a breach, the Rule also requires that a business associate provide this information even if it becomes available after notifications have been sent to affected individuals or after the 60-day period specified in § 164.410(b) has elapsed.
We clarified that business associates and covered entities would continue to have the flexibility to set forth specific obligations for each party, such as who will provide notice to individuals and when the notification from the business associate to the covered entity will be required, following a breach of unsecured protected health information, so long as all required notifications are provided and the other requirements of the interim final rule were met. We encouraged the parties to consider which entity is in the best position to provide notice to the individual, which may depend on circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual. We also encouraged the parties to ensure the individual does not receive notifications from both the covered entity and the business associate about the same breach, which may be confusing to the individual.
Overview of Public Comments
Many commenters expressed concern over the interim final rule’s treatment of a covered entity’s knowledge of a breach that occurs at or by a business associate. Some commenters stated that a covered entity’s knowledge of a breach should begin when the business associate notifies them of the breach, regardless of whether the business associate is an agent of the covered entity or a non-agent independent contractor. If knowledge is imputed when the business associate discovers the breach, one commenter argued that a covered entity would not have sufficient time to provide the required notifications to individuals in a timely manner. Other commenters argued that all business associates should be treated as agents of the covered entity, such that the business associate’s knowledge of a breach is imputed to the covered entity. Finally, some commenters asked for more guidance on when a business associate is acting as an agent versus as an independent contractor and how to determine this status under the Federal common law of agency.
Final Rule
The final rule modifies § 164.410 only to make the following technical and nonsubstantive correction: in paragraph (a)(2) of § 164.410, the first sentence is revised to refer to paragraph (a)(1) rather than paragraph (1). With respect to the commenters who expressed concern that a covered entity’s knowledge of a breach depends not only on a business associate’s discovery of the breach but also on the covered entity’s relationship with the business associate, we acknowledge that there are many different types of relationships that can develop between covered entities and business associates based upon the function the business associate performs on behalf of the covered entity. In some situations, a business associate will be acting as an agent of the covered entity, and as such, it makes sense to treat the business associate’s knowledge of a breach analogous to the knowledge of one of the covered entity’s own employees. However, in other situations, because a business associate may not be an agent of the covered entity, it would not be reasonable to impute the business associate’s knowledge directly to the covered entity, and therefore, the covered entity’s knowledge depends on notification from the business associate.
Furthermore, the use of the Federal common law of agency to determine the business associate’s status with respect to the covered entity is consistent with the approach taken in the Enforcement Rule for determining agency liability under the HIPAA Rules. Thus, we believe the use of the standard is appropriate here and should be familiar to most entities. We provide additional guidance regarding who is an agent above in our response to comments on the HITECH modifications to the HIPAA Enforcement Rule. Because of the agency implications on the timing of breach notifications, we encourage covered entities to discuss and define in their business associate agreements the requirements regarding how, when, and to whom a business associate should notify the covered entity of a potential breach.
Response to Other Public Comments
Comment: Several commenters asked OCR to provide sample business associate agreement language to outline the covered entity’s and business associate’s obligations following a breach of unsecured protected health information.
Response: A covered entity’s and business associate’s obligations following a breach of unsecured protected health information will vary depending on the relationship. For example, whether a business associate will send the breach notices to affected individuals and/or to notify the Secretary (and media, if applicable) on behalf of a covered entity is a business decision of the parties and how quickly a business associate is to notify a covered entity of a breach within the required timeframe may be based on a number of factors, such as whether the business associate is an agent of the covered entity. However, to help covered entities and business associates implement the new business associate agreement requirements generally under the HITECH modifications to the HIPAA Rules, the Department has published sample business associate agreement provisions on its web site.
Comment: Some commenters asked what happens if a covered entity and a business associate disagree about whether an impermissible use or disclosure is a breach that requires notification. These commenters asked if both parties must be in agreement before breach notification obligations are triggered.
Response: The covered entity is ultimately responsible for providing individuals with notification of breaches and, as indicated above, the clock for notifying individuals of breaches begins upon knowledge of the incident, even if it is not yet clear whether the incident qualifies as a breach for purposes of this rule. Further, this final rule clarifies that the default presumption is that an impermissible use or disclosure is a breach unless it can be determined through a risk assessment that there is a low probability that the data may be compromised. This standard should allow for more uniform application of the risk assessment approach across covered entities and business associates.
Comment: One commenter stated that the requirement that a business associate notify a covered entity of a breach of unsecured protected health information is duplicative of a business associate’s other obligations to notify the covered entity of privacy violations and security incidents.
Response: Business associates are required to report to covered entities any security incidents or uses or disclosures of protected health information not provided for by their business associate agreements, which include but are broader than breaches of unsecured protected health information under this Rule. For example, a security incident need not lead to unauthorized access to protected health information (and thus, is not a breach) but is still an event that should be reported to the covered entity. Further, when a security incident occurs that does rise to the level of a breach, the breach notice to the covered entity suffices to meet the requirement to report the security incident to the covered entity (however, a covered entity may require through the business associate agreement that additional information be reported). Therefore, these requirements are not duplicative.
HHS Description and Commentary From the Interim Breach Rule Notification in the Case of Breach: Notification By Business Associates |
Section 13402(b) of the Act requires a business associate of a covered entity that accesses, maintains, retains, modifies, records, destroys, or otherwise holds, uses, or discloses unsecured protected health information to notify the covered entity when it discovers a breach of such information. Section 164.410(a) implements § 13402(b) of the Act, but does not include the terms “that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses” used in the statute to describe a business associate’s actions with respect to unsecured protected health information because inclusion of such terms was deemed unnecessary.
Thus, following the discovery of a breach of unsecured protected health information, a business associate is required to notify the covered entity of the breach so that the covered entity can notify affected individuals. We clarify that a business associate that maintains the protected health information of multiple covered entities need notify only the covered entity(s) to which the breached information relates. However, in cases in which a breach involves the unsecured protected health information of multiple covered entities and it is unclear to whom the breached information relates, it may be necessary to notify all potential affected covered entities.
We received several comments in support of adding a provision to require business associates to provide notice to a senior official or privacy official at the covered entity. We do not believe such a provision is necessary, however. Covered entities and business associates already have established business relationships and communication channels, including with respect to privacy and security matters. For example, the HIPAA Rules already require a business associate contract to provide that the business associate report to the covered entity uses or disclosures not provided by the contract as well as security incidents of which the business associate becomes aware. See 45 CFR 164.504(e)(2)(ii)(C) and 164.314(a)(2)(i)(C). Thus, we believe it is appropriate to leave it up to covered entities and business associates to determine how the required reporting should be implemented.
Section 164.410(a)(2) implements § 13402(c) of the Act, which provides when a breach is to be treated as discovered by the business associate. Accordingly, § 164.410(a)(2) states that a breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. Section 164.410(a)(2) further provides that a business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the federal common law of agency). As with §164.404(a)(2) with respect to a covered entity’s knowledge of a breach, we clarify in this provision that the federal common law of agency is to control in determining who is an agent of the covered entity. This approach is consistent with the HIPAA Enforcement Rule (45 CFR part 160, subparts C through E), which provides that the federal common law of agency applies in determining agency liability under the HIPAA Rules. Also, as with § 164.404(a)(2), we have modified the statutory language slightly to better conform to existing language in the HIPAA Enforcement Rule at 45 CFR 160.410, by incorporating the term “reasonable diligence.” We have made these clarifications for consistency and uniformity across the regulations.
Section 164.410(b) implements § 13402(d)(1) of the Act and provides that, with the exception provided in § 164.412, a business associate must provide notice of a breach of unsecured protected health information to a covered entity without unreasonable delay and in no case later than 60 days following the discovery of a breach. With respect to breaches at the business associate, the covered entity must provide the required notifications to affected individuals under § 164.404(a) without unreasonable delay, but no later than 60 days.
If a business associate is acting as an agent of a covered entity, then, pursuant to § 164.404(a)(2), the business associate’s discovery of the breach will be imputed to the covered entity. Accordingly, in such circumstances, the covered entity must provide notifications under §164.404(a) based on the time the business associate discovers the breach, not from the time the business associate notifies the covered entity. In contrast, if the business associate is an independent contractor of the covered entity (i.e., not an agent), then the covered entity must provide notification based on the time the business associate notifies the covered entity of the breach. As reflected in the comments we received in response to the timing of business associate notification to a covered entity following a breach, covered entities may wish to address the timing of the notification in their business associate contracts.
Section 164.410(c) implements the second sentence of § 13402(b) of the Act, which specifies the information that a business associate must provide to a covered entity following a breach of unsecured protected health information. Section 164.410(c)(1) requires business associates, to the extent possible, to provide covered entities with the identity of each individual whose unsecured protected health information has been, or is reasonably believed to have been, breached. Depending on the circumstances, business associates may provide the covered entity with immediate notification of the breach, as discussed above and then follow up with the required information in § 164.410(c) when available but without unreasonable delay and within 60 days.
Section 164.410(c)(1) departs slightly from the statutory language by only requiring business associates to provide this information “to the extent possible.” Based on some comments received, we recognize that there may be situations in which a business associate may be unaware of the identification of the individuals whose unsecured protected health information was breached. For example, a business associate that is a record storage company holds hundreds of boxes of paper medical records on behalf of a covered entity. The business associate discovers that several boxes are missing and is unable to provide the covered entity with a list of the individuals whose information has been breached. It is not our intent that the business associate delay notification of the breach to the covered entity, when the covered entity may be better able to identify the individuals affected.
Further, we recognize that, depending on the circumstances surrounding a breach of unsecured protected health information, a business associate may be in the best position to gather the information the covered entity is required by § 164.404(c) to include in the notification to the individual about the breach. Thus, in addition to the identification of affected individuals, § 164.410(c)(2) requires a business associate to provide the covered entity with any other available information that the covered entity is required to include in the notification to the individual under § 164.404(c), either at the time it provides notice to the covered entity of the breach or promptly thereafter as information becomes available.
Because we allow this information to be provided to a covered entity after the initial notification of the breach as it becomes available, a business associate should not delay the initial notification to the covered entity of the breach in order to collect information needed for the notification to the individual. To ensure the covered entity is aware of all the available facts surrounding a breach, we also note that a business associate should provide this information even if it becomes available after notifications have been sent to affected individuals or after the 60-day period specified in § 164.410(b) has elapsed.
In response to a significant number of commenters who expressed concern that this requirement would prevent covered entities and their business associates from addressing these issues in their business associate contracts, we emphasize that we do not intend for this section to interfere with the current relationship between covered entities and their business associates. Business associates and covered entities will continue to have the flexibility to set forth specific obligations for each party, such as who will provide notice to individuals and when the notification from the business associate to the covered entity will be required, following a breach of unsecured protected health information, so long as all required notifications are provided and the other requirements of the interim final rule are met.
We encourage the parties to consider which entity is in the best position to provide notice to the individual, which may depend on circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual. We also encourage the parties to ensure the individual does not receive notifications from both the covered entity and the business associate about the same breach, which may be confusing to the individual.
Finally, we note that where an entity provides PHRs to customers of a HIPAA covered entity through a business associate arrangement but also provides PHRs directly to the public and a breach of its records occurs, in certain cases, as described in its rule, the FTC will deem compliance with certain provisions of HHS’ rule as compliance with FTC’s rule. In particular, in such situations, it may be appropriate for the vendor to provide the same breach notice to all its PHR customers since it has a direct relationship with all the affected individuals. Thus, in those limited circumstances where a vendor of PHRs (1) provides notice to individuals on behalf of a HIPAA covered entity, (2) has dealt directly with these individuals in managing their personal health record accounts, and (3) provides notice to its customers at the same time, the FTC will deem compliance with HHS requirements governing the timing, method, and content of notice to be compliance with the corresponding FTC rule provisions.