Ask the Lawyer: May 2011

If a practice has a HIPAA breach by a business associate, and they notify the practice, the practice has to notify the patients, but does the Business Associate have any financial obligations?

New regulations under HITECH make HIPAA breaches a great deal more problematic today than ever before. Practices must now notify patients of a breach, where in the past they may not have done this. All business associates must sign a business associate agreement that should address the issue of the responsibility to both the practice and the business associate in the event of a breach, depending on who is responsible for the breach. The business associate agreement should also contain an indemnification clause which assigns the responsibility for “fixing” the breach to the party who caused or allowed the breach. In addition, the business associate agreement should include provision for the financial responsibility of the party responsible for a breach.

The new HITECH regulations shift liability to business associates if they are responsible for a breach; however, the covered entity is responsible for notifying patients. This is why updating business associate agreement to address these issues is imperative since the passing of HITECH regulations.

This article is for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. The information contained in this article does not create an attorney-client relationship between Karen McKeithen Schaede Attorney at Law, PLLC and the reader.