A business associate must notify the covered entity when it discovers a breach of unsecured PHI. If a business associate maintains PHI for multiple covered entities, it must notify only the covered entity(s) related to the breached information. If the business associate is unable to determine to which covered entities the breached information relates, then notification to all potential affected covered entities may be necessary. A business associate must provide notice of a breach of unsecured PHI to a covered entity without unreasonable delay and in no case later than 60 days after the discovery of the breach.

Once a health care provider discovers a breach (i.e., when the incident that involves the impermissible use or disclosure of PHI becomes first known), a notification needs to be sent to affected individuals without unreasonable delay and in no case later than 60 calendar days after the date of the breach (unless requested by law enforcement). However, if the breach occurred with regard to PHI maintained by a business associate who is an independent contractor, then the health care provider must provide notification based on the time the business associate notifies the covered entity of the breach.

In the event of a breach, the business associate to the extent possible should provide the health care provider with the identity of each individual whose unsecured PHI has been, or is reasonably believed to have been breached and any other available information that needs to be included in the breach notification (even if it s after the 60-day period). 

Tools:

• Sample Breach Notification - Protected Health Information Policy  (Word - 256KB) --  Prepared by the HIPAA Collaborative of Wisconsin (2009) 

Resources:

• Instructions for Submitting Notice of a Breach to the Secretary  -- Office for Civil Rights (2010)