The javascript used on this site for creative design effects is not supported by your browser. Please note that this will not affect access to the content on this web site.
Skip Navigation
H H S Department of Health and Human Services
U.S. Department of Health and Human Services
Health Information Technology and Quality

A-Z Index  |  Questions?  |  Order Publications  |  HRSA Mobile

What do business associates need to do if a breach of PHI occurs?

A business associate must notify the covered entity when it discovers a breach of unsecured PHI. If a business associate maintains PHI for multiple covered entities, it must notify only the covered entity(s) related to the breached information. If the business associate is unable to determine to which covered entities the breached information relates, then notification to all potential affected covered entities may be necessary. A business associate must provide notice of a breach of unsecured PHI to a covered entity without unreasonable delay and in no case later than 60 days after the discovery of the breach.

Once a health care provider discovers a breach (i.e., when the incident that involves the impermissible use or disclosure of PHI becomes first known), a notification needs to be sent to affected individuals without unreasonable delay and in no case later than 60 calendar days after the date of the breach (unless requested by law enforcement). However, if the breach occurred with regard to PHI maintained by a business associate who is an independent contractor, then the health care provider must provide notification based on the time the business associate notifies the covered entity of the breach.

In the event of a breach, the business associate to the extent possible should provide the health care provider with the identity of each individual whose unsecured PHI has been, or is reasonably believed to have been breached and any other available information that needs to be included in the breach notification (even if it s after the 60-day period). 



Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.
Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care.  More>
Stay Informed