Privacy Officer's Roundtable

 View Only
  • 1.  Business Associate Reporting

    Posted 15 days ago
    I have been updating our internal procedures and have been trying to find out specific information as to the obligations of reporting/notifying and follow up when a breach has happened by the Business Associate (BA).
    • Is it the BA's responsibility to report and notify when a breach has occurred?
      • or is that something that is discussed between the CE and BA and could go either way?
    • When a BA has notified you of a breach they discovered and are investigating, is it required that they follow up and tell you not only when their investigation turns up a reportable/notifiable breach but also when their investigation turns up a low-level breach that does not need to be reported/notified of?
    I appreciate any insights you may have.  Thanks!

    Jennifer Phoenix
    Privacy Specialist
    Olmsted Medical Center
    Rochester, MN
    SCCE Membership

  • 2.  RE: Business Associate Reporting

    Posted 14 days ago
    I work for a BA. Yes, we are obligated per our BAA's to report to the CE. This is a required term in BAA's. It's really up to the CE in terms of what they want reported. Some CE's may want every impermissible reported, while others may only want incidents that we as the BA have assessed as a breach.  The CE then reviews that analysis and makes their own conclusion.  In terms of doing the notification to the patient, again that's dependent upon the parties. In my opinion a BA shouldn't do a notification unless that's discussed with the CE and the CE has reviewed and signed off on the letter being sent.

    Brenda Manning JD, CIPP/US, CHC, CHPC
    Senior Privacy Counsel
    Maximus, Inc.

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.

    SCCE Membership