Business associate agreements are one of the tricky parts of complying with the Health Insurance Portability and Accountability Act (HIPAA). The reason? You must trust that the vendor will act responsibly with your protected health information (PHI). Requirements for notification of a possible breach should be strict and clear, says Timothy B. Adelman, JD, an attorney with the law firm of LeClairRyan in Annapolis, MD.
If a contractor loses information in a way that even suggests a possible HIPAA breach, the hospital’s contract should require the contractor to notify the hospital immediately. That contract provision encompasses more situations than a contract requiring notification if there is a breach.
"Some business associate agreements say the contractor will notify the hospital within 30 days of a breach, but we’d rather see a contract that requires the vendor to notify the hospital promptly whenever there is an unauthorized disclosure or access to PHI," Adelman says. "We don’t want to leave it up to the vendor to decide whether a loss of PHI is a breach, because they may not have the background and resources to make that decision. We want the hospital to be involved in that decision."
