The Role of an Agent: When Your Business Associate's Knowledge of a Breach is Imputed to Your Practice

Under the HIPAA Breach Notification Rule, as modified by the Health Information Technology for Economic and Clinical Health (HITECH) Act, timing is everything. For covered entities, the 60-day clock (45 CFR § 164.404(b)) to notify individuals, the Department of Health and Human Services (HHS), and sometimes the media begins at discovery of the breach.

However, what many small practices overlook is that “discovery” is not limited to when the covered entity itself learns of the breach. If your business associate (BA) is deemed your “agent” under the federal common law of agency, their knowledge of a breach is imputed to you. This means the clock starts ticking the moment your agent knows of the incident, not when they decide to tell you.

Understanding when a BA is considered your agent, and putting safeguards in place, is critical to ensuring timely compliance and avoiding costly penalties.

The Legal Basis for Imputed Knowledge

HITECH’s breach notification requirements are codified at 45 CFR §§ 164.400–414 (see especially §§ 164.402, 164.404, 164.410). Under these provisions, the breach notification clock starts on the date of “discovery,” defined as the first day the breach is known to the covered entity or would have been known by exercising reasonable diligence (45 CFR § 164.402)

When a BA acts as an “agent” of a covered entity, the federal common law of agency applies. In this context:

• Agent: A BA whose actions are subject to the covered entity’s control, even if not directly supervised day-to-day

• Independent Contractor: A BA operating independently without the covered entity’s right to control the details of performance

If a BA is determined to be your agent, their knowledge of a breach, whether communicated promptly, triggers your notification clock.

Many small practices mistakenly assume that all business associates (BAs) operate as independent contractors and that the breach notification clock begins only when the BA informs them of an incident. However, OCR enforcement actions have demonstrated that this assumption can lead to costly penalties. If OCR determines that your BA is acting as your agent, you are legally responsible for meeting HIPAA’s notification deadlines starting from the date the BA first became aware of the breach, not from the date you were notified.

In 2019, a small dermatology practice entered into a contract with a medical billing company to handle patient account management, including claims processing and payment tracking. Midway through the year, the billing company’s servers suffered a ransomware attack that encrypted data and exposed thousands of patient records containing sensitive PHI.

Instead of promptly notifying the practice, the billing company waited 45 days, claiming it needed time to complete an internal forensic investigation before disclosing the breach. By the time the practice was informed and subsequently notified both affected patients and the Department of Health and Human Services (HHS), the notifications were already 20 days past the 60-day deadline required under HIPAA’s Breach Notification Rule. (45 CFR § 164.404(b)) 

During its investigation, the Office for Civil Rights (OCR) determined that the billing company functioned as the practice’s agent because the contract gave the practice significant control over billing processes and certain security protocols (45 CFR § 164.410(a)(2)). Consequently, the breach was legally “discovered” on the date the billing company first learned of it. The practice was fined $150,000 for untimely notification, even though it had no direct awareness until weeks later.

Lesson Learned: Agency status depends on contract terms and operational control, not the business associate’s personal interpretation.

Factors that OCR and courts may consider include:

• The degree of control you have over the BA’s actions

• Whether the BA must follow your detailed procedures or has autonomy

• Contract language describing the relationship (though labels are not determinative)

• How much oversight your practice exercises over the BA’s operations

It is possible for a BA to be your agent for some functions and an independent contractor for others.

Strategies for Compliance

To reduce your risk:

Clarify the Relationship in Contracts – Clearly state in all agreements whether the Business Associate (BA) is acting as an independent contractor or an agent (45 CFR § 164.502(e); § 164.504(e)). Use precise legal language that leaves no ambiguity, and ensure these terms are consistent with HIPAA’s definitions and obligations. Include provisions that limit your operational control over the BA’s day-to-day activities when the intent is to maintain independent contractor status. This clarity can help avoid unintentional agency relationships that could shift liability and notification timelines onto your practice.

Set Reporting Deadlines – Establish strict, written requirements for BAs to notify you of any suspected or confirmed breach within 24 to 48 hours of discovery (45 CFR § 164.410(b)). This requirement should apply even if the BA has not yet completed its internal investigation. Early reporting gives your practice more time to assess the situation, determine the scope of the incident, and meet HIPAA’s 60-day notification deadline without unnecessary delays.

Implement Oversight Procedures – Develop and maintain a formal process for monitoring BA compliance. This may include periodic audits, compliance check-ins, and reviewing breach logs or incident reports (45 CFR § 164.530(c)). Keep detailed records of all oversight activities, as documented proof can be valuable during an OCR investigation to demonstrate your due diligence in managing vendor relationships.

Train Your Staff – Provide targeted training for your privacy and security officers, as well as other relevant staff, on the legal and operational consequences of agency relationships under HIPAA. Ensure they understand that in some cases, breach notification deadlines can start the moment a BA discovers an incident, not when they inform you. Regular refresher sessions can reinforce this knowledge and help maintain compliance awareness across your team.

Common Pitfalls and How to Avoid Them

Pitfall 1: Assuming Contract Language Alone Controls Agency Status

While contract terms matter, OCR and courts will also consider the actual level of control you exercise.

How to Avoid It: Align your operational practices with the contract terms. If you state the BA is independent, avoid exercising detailed control over their daily work.

Pitfall 2: Allowing BAs to Self-Determine Breach Discovery Dates

Some BAs may delay notifying you until they complete their internal investigation.

How to Avoid It: Require immediate reporting of any suspected incident and allow your practice to participate in the risk assessment process.

Pitfall 3: Ignoring Partial Agency Relationships

A BA may be your agent for one function (e.g., patient billing) but independent for another (e.g., marketing).

How to Avoid It: Review each scope of work separately to determine agency implications.

Pitfall 4: Missing Internal Deadlines After BA Notification

Even if the BA reports promptly, internal delays can push you past the 60-day limit 45 CFR § 164.404(b))

How to Avoid It: Establish an internal breach response team and workflow to act immediately upon notification.

Pitfall 5: Lack of Documentation on BA Oversight

Without evidence of oversight, OCR may question your compliance efforts.

How to Avoid It: Keep records of BA audits, check-ins, and training sessions.

Pitfall 6: Not Considering State Law Requirements

Some state laws have stricter timelines for breach notification, which may apply regardless of federal rules.

How to Avoid It: Maintain a state breach law chart and apply the most stringent requirement.

Pitfall 7: Overreliance on BA Security Measures

Assuming the BA’s security program eliminates your risk ignores the fact that the breach clock may still start with their discovery.

How to Avoid It: Integrate BA breach reporting into your practice’s overall risk management plan.

Pitfall 8: Failing to Test Communication Channels

In a breach, outdated contact information or untested channels can delay reporting.

How to Avoid It: Test breach reporting procedures with BAs annually.

This checklist helps small practices manage the legal risks of imputed BA knowledge, ensuring timely breach notifications and regulatory compliance.

1. HHS OCR – Business Associate Guidance

2. HIPAA Breach Notification Rule – 45 CFR §§ 164.400–414

3. OCR Resolution Agreements

The concept of imputed knowledge under the federal common law of agency can significantly affect your breach notification timeline under HITECH. For small practices, understanding when a BA is your agent, and structuring relationships accordingly, is essential to avoiding penalties.

Next Steps for Your Practice:

• Review all BA agreements for agency implications

• Implement strict incident reporting requirements

• Conduct annual training for compliance staff on agency and breach rules

• Audit BA compliance and maintain records of oversight

By proactively managing BA relationships and clarifying reporting obligations, small practices can meet HITECH’s strict breach notification timelines and reduce enforcement risk.

To safeguard your practice, adopt a compliance management system. These tools consolidate regulatory obligations, provide ongoing risk monitoring, and ensure you’re always prepared for audits while demonstrating your proactive approach to compliance.

Consider leveraging a compliance automation tool to streamline your efforts. Such platforms help you document and manage obligations, conduct regular risk assessments, and remain audit-ready, reducing liabilities while signaling accountability to regulators and patients alike.