A Business Associate's HITECH Duty: The Rules for Notifying a Covered Entity of a Breach (45 CFR § 164.410)

The HIPAA Breach Notification Rule doesn’t only apply to covered entities like healthcare providers, it also imposes direct obligations on business associates. Under 45 CFR § 164.410, a business associate (BA) that experiences a breach of unsecured protected health information (PHI) must promptly notify the covered entity (CE). For small healthcare practices that rely heavily on vendors for billing, IT, or document storage, this requirement is critical. If a business associate fails to notify you in time, your own 60-day patient notification clock could start ticking without your knowledge, exposing you to potential fines and reputational harm.

This article explains what the law requires of business associates, the timing and content of their notifications, and how small practices can strengthen their contracts and oversight to ensure compliance.

Understanding the Regulation

Under 45 CFR § 164.410(a), a business associate that becomes aware of a breach of unsecured PHI must:

1. Notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery of the breach.

2. Provide information to the covered entity that enables them to notify affected individuals under § 164.404(c).

The rule defines “discovery” similarly to the definition for covered entities: a breach is discovered on the first day it is known or should have been known with reasonable diligence.

While the regulation allows a maximum of 60 calendar days, HHS emphasizes that the standard is as soon as possible. Business associates are expected to act much sooner, often within 10–15 days of discovery. This promptness is necessary because the covered entity has its own 60-day deadline to notify patients and, potentially, the media and HHS.

Content Requirements for Business Associate Breach Notices

Per 45 CFR § 164.410(c), the notice from a business associate to a covered entity should include, to the extent possible:

• The identities of each individual whose PHI was breached

• A brief description of what happened, including the date of the breach and date of discovery

• A description of the types of PHI involved (e.g., names, Social Security numbers, medical record numbers, diagnoses)

• Any steps the business associate recommends the covered entity take to protect individuals

• A description of what the business associate is doing to investigate, mitigate harm, and prevent further breaches

If all information is not immediately available, the business associate must provide the details as they become available.

In 2019, a medical billing vendor discovered that an employee’s email account had been compromised through phishing. The vendor waited 45 days to investigate before informing its client, a small dermatology clinic. By that time, the clinic had only 15 days left to meet the HIPAA notification deadline for affected patients.

Although the delay originated with the vendor, OCR penalized the covered entity for late notification because the 60-day window had already started when the vendor discovered the breach. The clinic paid $100,000 in a settlement and had to implement strict new vendor oversight protocols.

Lesson Learned: Covered entities bear ultimate responsibility for timely patient notification. A vendor’s delay can become your compliance violation.

Small practices should not wait until after a breach to find out whether a vendor can meet notification requirements. Proactive steps include:

• Updating Business Associate Agreements (BAAs) to include specific timeframes for breach notification, preferably within 10 business days of discovery.

• Requiring immediate preliminary notice even if all details are not available.

• Verifying vendor breach response plans during contract negotiation.

• Maintaining multiple points of contact at each vendor for emergency communication.
  

HITECH and the HIPAA Omnibus Rule expanded liability for both covered entities and business associates. While business associates have a direct legal duty to report breaches, the covered entity remains responsible for ensuring patients are notified on time. This creates a shared responsibility model where communication speed is essential.

Both parties must:

• Maintain up-to-date contact information

• Have a documented escalation process

• Keep secure, redundant communication channels in place for emergencies

Common Pitfalls and How to Avoid Them

Pitfall 1: BAAs That Mirror the 60-Day Deadline

Many BAAs simply repeat HIPAA’s maximum 60-day deadline for business associate notification. This leaves the covered entity no buffer to investigate and prepare patient notifications.

How to Avoid It: Set a much shorter contractual deadline, ideally 5 to 10 days from discovery, for preliminary notice. State that final details can follow as available.

Pitfall 2: No Requirement for Preliminary Notice

Vendors often wait until they have complete breach details before notifying the covered entity. This can consume weeks of critical response time.

How to Avoid It: Include a clause in the BAA requiring immediate preliminary notice with whatever information is known, followed by updates.

Pitfall 3: Overreliance on Vendor Self-Reporting

Some covered entities assume that business associates will always report breaches promptly. In reality, some vendors may delay managing their own reputation or legal exposure.

How to Avoid It: Actively monitor vendor systems if possible, request periodic security reports, and require annual HIPAA compliance attestations.

Pitfall 4: Ambiguity Over “Discovery” Date

Disputes can arise over whether the breach discovery date is when the vendor found the issue or when they finished their investigation.

How to Avoid It: Define “discovery” in the BAA as the date the business associate first became aware of facts indicating a breach may have occurred, regardless of investigation status.

Pitfall 5: Incomplete or Missing Individual Lists

If the business associate doesn’t provide a list of affected individuals, the covered entity may not be able to complete timely notifications.

How to Avoid It: Require vendors to maintain accurate contact data and deliver a list of affected individuals as soon as possible.

Pitfall 6: Lack of Escalation Channels

If a vendor’s primary contact is unavailable during a crisis, notification can stall.

How to Avoid It: Maintain at least two designated breach reporting contacts per vendor, including a senior compliance officer.

Pitfall 7: Ignoring Subcontractor Breaches

Business associates may outsource certain functions, creating “downstream” subcontractors who also handle PHI. If a subcontractor breaches data, it still triggers the BA’s duty to notify.

How to Avoid It: Require business associates to have BAAs with all subcontractors and to pass along breach reporting obligations in those contracts.

1. HHS Breach Notification Rule for Business Associates

2. 45 CFR § 164.410 – Notification by a Business Associate

3. OCR HIPAA Enforcement Highlights

Business associate breach notification rules under HITECH are mandatory, enforceable legal requirements designed to protect patient privacy and ensure accountability across all parties handling Protected Health Information (PHI). When a business associate discovers a breach, they must notify the covered entity without unreasonable delay, and no later than 60 days after discovery. This duty is not optional and applies regardless of the size of the practice or the nature of the vendor relationship.

For small healthcare practices, the safest approach is to integrate vendor compliance into every stage of the relationship, starting with contract language that clearly defines breach notification obligations, timelines, and required documentation. Beyond contracts, practices should implement workflows to ensure breaches are reported and acted upon quickly, including regular communication channels and periodic compliance checks.

By addressing these requirements before a breach occurs, practices can reduce legal exposure, improve incident response time, and maintain trust with their patients while meeting HITECH’s strict regulatory standards.

Next Steps for Your Practice:

• Review all BAAs to ensure they require notice within 10 days of discovery

• Confirm vendors have documented breach response plans

• Maintain updated vendor contact lists with escalation backups

• Establish an internal process to act immediately when vendor notice is received

• Keep all breach-related correspondence and logs for at least six years

Consider leveraging a HITECH compliance automation tool to streamline your efforts. Such platforms help you document and manage obligations, conduct regular risk assessments, and remain audit-ready, reducing liabilities while signaling accountability to regulators and patients alike.