For covered entities (CEs) who have tight privacy and security measures in place, the breach notification requirements under HITECH (amending HIPAA) might not seem especially onerous. But what about breaches the CE doesn’t know about? What if the CE’s business associate (BA) fails to report a breach of unsecured health information? What if the BA doesn’t even know about the breach?
The Interim Final Rule published by the Office of Civil Rights (OCR), Department of Health and Human Services (HHS) on August 24, 2009 confirms what others doubted when I raised the paranoid-sounding possibility: "yes, a CE must meet the breach notification requirements and timeline, even when the CE is not responsible for, and does not even know about, a breach." The Interim Final Rule explains that the Secretary of HHS will "attribute knowledge of a breach by a workforce member or other agent (other than the person committing the breach), which may include certain business associates, to the covered entity itself."
The date a breach is discovered is extremely important (triggering the 60-day notice requirement). The fact that a CE has no actual knowledge of a BA’s breach, and might not even know whether the BA is exercising diligence in detecting possible breaches, will not protect the CE from liability for failing to find out about and provide required notice of the breach. The clock starts running when the BA knew, or should have known, about the breach. According to OCR, "covered entities should ensure their workforce members and other agents [such as BAs, depending on whether they count as "agents" under federal common laws of agency] are adequately trained and aware of the importance of timely reporting of privacy and security incidents and the consequences of failing to do so."