Confidentiality, Privacy and Security

Breach Notification Timeframe Requirements with BA

  • 1.  Breach Notification Timeframe Requirements with BA

    Posted 07-10-2020 14:41
    As some folks know, the model BAA posted on the HHS website refers to the notification timeframe of a BA to the CE as referenced in the regulations which makes the timeframe no longer than 60 days.  There is a notation in the template that suggests organization may want to cosider "...a stricter timeframe for the business associate to report a potential breach to the covered entity..."

    Some BAAs have non-specific language such as "as soon as possible".  That being said...what timeframes for notification by your BAs do you like to see in your BAAs?

    Thanks and have a nice weekend!

    Frank Ruelas
    Compliance Professional