Health Information Technologies and Processes

Breach Notification Timeframe Requirements with BA

  • 1.  Breach Notification Timeframe Requirements with BA

    Posted 07-10-2020 14:41
    As some folks know, the model BAA posted on the HHS website refers to the notification timeframe of a BA to the CE as referenced in the regulations which makes the timeframe no longer than 60 days.  There is a notation in the template that suggests organization may want to cosider "...a stricter timeframe for the business associate to report a potential breach to the covered entity..."

    Some BAAs have non-specific language such as "as soon as possible".  That being said...what timeframes for notification by your BAs do you like to see in your BAAs?

    Thanks and have a nice weekend!


    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------


  • 2.  RE: Breach Notification Timeframe Requirements with BA

    Posted 07-11-2020 00:28
    Hi Frank,
    Good to see you on AHIMA forums. :)
    We use a 10 day notification requirement in our BAA template. Our data breach law in Oregon requires vendors notify the applicable covered entity within 10 days of discovery of a breach as of Jan 1, 2020 which was already our requirement.

    Thanks!
    Aurae

    ------------------------------
    Aurae Beidler MHA,RHIA,CHPS,CHC
    Compliance/Privacy Officer
    ------------------------------



  • 3.  RE: Breach Notification Timeframe Requirements with BA

    Posted 07-11-2020 08:57
    Thanks Aurae!  It is nice to see some familiar names and some folks have reached out offlist by email and messages to welcome me to the eGroup.  They also have asked some very good questions...I might add!

    That Oregon law, I'm guessing, at is a nice "motivator" with its 10 days discovery timeframe to help you integrate the 10 day notification window into your BAA. I'm guessing it helps minimize some of the hassle factor that might otherwise exist without that 10 day window which some experience when trying to decide upon a timeframe for notification by the BA to the CE.


    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------



  • 4.  RE: Breach Notification Timeframe Requirements with BA

    Posted 07-12-2020 08:06
    Aurae...one more question, if I may...and just looking for a "guesstimate".  When you folks put BAAs in place do you find that you:

    - Use your version of the BAA the majority of the time
    - Use the BAs version of the BAA the majority of the time
    - Use whichever version so long as what is required or mutually agreed upon is in the BAA

    Thanks!

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------



  • 5.  RE: Breach Notification Timeframe Requirements with BA

    Posted 28 days ago
    Hi Frank,
    Great question. Since we are local government and many of our contracts are actually at the state level with set standard "unchangeable" language. So I would say it's mostly the first bullet. We have a wonderful general counsel who meticulously looks at our contracts for Oregon contract law requirements beyond our BAA.

    Recently we've run into some technology vendors who refuse to change their BAA (fortunately they've fallen into the 3rd bullet) but with those it requires a full analysis of the potential risks we might face and what is acceptable based on our needs.

    Thanks!
    Aurae

    ------------------------------
    Aurae Beidler MHA,RHIA,CHPS,CHC
    Compliance/Privacy Officer
    ------------------------------



  • 6.  RE: Breach Notification Timeframe Requirements with BA

    Posted 28 days ago
    Sounds like you are on a smooth road with this.  Thanks for sharing!

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------