Your Patient’s Data, But Not Your Breach

April 20, 2016

Here’s what you do when a HIPAA violation affects your patients, but is the fault of one of your business partners.

Your responsibilities for reporting HIPAA violations are complex, but reasonably clear, if your practice is responsible for the breach. However, what if the protected health information of your patients is violated, not by you, but by one of your business partners? What are your responsibilities then? That depends on whether the partner is a business associate or another “covered entity.”

A covered entity, as defined by HHS, is another healthcare provider, healthcare plan, or claims clearinghouse, who must comply with HIPAA regulations on their own. Business associates, on the other hand, are businesses or individuals who have access to some of your patients’ information because of certain services they perform for you, but are not themselves covered entities. An outside billing company is an example of a business associate, and so is your attorney.

If the partner is a business associate, they are responsible for notifying you of any breach that affects your patients. But you, as the covered entity, are responsible for reporting the breach, said Paula Stannard, former acting general counsel for HHS and attorney specializing in healthcare law with the law firm Alston & Bird in Washington, D. C. HHS requires that you have a written agreement with all business associates outlining their responsibilities for protecting patient information and their responsibilities to you in case of a breach.

 Things can get a little more complicated if the business partner responsible for the breach is not a business associate, but another covered entity, such as a lab or hospital, that you have provided with patient information for the purpose of providing patient care. “When two covered entities are involved, there can be arguments over whose watch the breach happened on,” said Rick Hindmand, Chicago-area health care attorney with the law firm McDonald Hopkins. “Say, for example, a medical practice operates out of a hospital, and that hospital has a breach. The hospital will be responsible for reporting the breach, but the practice will be concerned about how it will affect their relationship with their patients. The hospital will need to work with the practice about how best to report the incident to the patients involved.”

It can also be a little tricky when the partner responsible for the breach is another covered entity, but not one that your patients are familiar with-a clearinghouse or outside lab, for example. Patients may wonder why you were sharing their protected data with this business. You’ll want to let your patients know what has happened, and what is being done about it, ideally before they hear it in the press.

In some cases, things are much simpler if the breach involved another healthcare provider - and it’s nice to not be responsible for the breach. But you are still responsible for your relationships with your patients, so working with your partners is good business.