Vendor breach response
A business associate breach does not end at the vendor. It extends to every covered entity whose patients' data was involved. Your obligations start the moment you are notified.
Your obligations
Under the HIPAA Breach Notification Rule, a business associate must notify you within 60 days of discovering a breach that involves unsecured protected health information. That clock starts from the date the vendor knew — or should have known — about the incident.
Once notified, the responsibility shifts to you. You must assess whether your patients' data was exposed. You must determine whether the incident meets the threshold for a reportable breach. And if it does, you — the covered entity — are responsible for notifying affected patients. Not the vendor. You.
This is not optional. It is not delegable. And the penalties for failure to notify are separate from the penalties for the underlying breach.
Immediate action
Do not wait for the vendor to tell you what to do. These steps protect your practice and establish a defensible position.
Locate the signed Business Associate Agreement. Confirm it covers the services the vendor provides and has not expired. If no BAA exists, your practice has a separate compliance violation independent of the vendor's breach.
Demand a written breach notification that specifies: what happened, when it was discovered, what data was involved, what the vendor is doing to remediate, and whether your patients' records were affected. The BA is required to provide this under the HIPAA Breach Notification Rule.
Cross-reference the vendor's disclosure with the data your practice shared. Determine which patients, what categories of PHI, and how many records are potentially exposed.
Apply the four-factor breach risk assessment: (1) nature and extent of PHI involved, (2) who accessed or received the data, (3) whether PHI was actually acquired or viewed, (4) extent of risk mitigation. Do not rely on the vendor's assessment alone.
If the risk assessment shows more than a low probability that PHI was compromised, you — the covered entity — must notify affected patients within 60 days. For breaches affecting 500+ individuals, you must also notify HHS and local media.
Create a written record of: when you were notified, what you were told, every action you took, every communication with the vendor, your risk assessment methodology and conclusions, and your notification decisions. This documentation is your defense.
Notification responsibility
If the business associate's breach affected your patients' protected health information, the covered entity — your practice — is responsible for patient notification. This is codified in 45 CFR 164.404. The vendor does not send the letters. You do.
Notification must occur without unreasonable delay and no later than 60 days from the date you are notified of the breach. The notice must include: a description of the breach, the types of information involved, steps patients should take, what your practice is doing in response, and contact information for follow-up questions.
For breaches affecting 500 or more individuals in a single state or jurisdiction, you must also notify prominent local media outlets. And regardless of size, all breaches of unsecured PHI must be reported to HHS — either immediately for breaches affecting 500+ individuals, or via the annual breach log for smaller incidents.
The precedent
190 million patients. $1.5 billion in losses. The Change Healthcare breach was the largest in healthcare history — and it was a vendor breach. Every practice that used Change Healthcare for claims processing, eligibility verification, or payment management was exposed.
Practices that had current, executed BAAs and documented vendor risk assessments were in a defensible position. They could demonstrate due diligence. They had evidence that they evaluated the vendor, understood the data flows, and maintained contractual protections.
Practices that did not — those with missing BAAs, no vendor risk assessments, or no documentation of their vendor oversight — faced joint liability. Not because they caused the breach, but because they failed to manage the relationship that allowed their patients' data to be exposed.
The lesson is not that vendor breaches are inevitable. The lesson is that your preparation before the breach determines your exposure after it.
190M
patients affected
$1.5B
in total losses
1
vendor compromise
FAQ
Yes. Under the HIPAA Breach Notification Rule (45 CFR 164.410), a business associate must notify the covered entity of a breach of unsecured PHI without unreasonable delay and no later than 60 days after discovery. Your BAA should also specify notification procedures and timelines.
You can be. If you failed to execute a BAA, failed to conduct vendor risk assessments, or failed to act on known compliance deficiencies, OCR can hold the covered entity jointly liable. Even with a valid BAA, the covered entity retains responsibility for patient notification and its own compliance obligations.
A vendor that refuses to disclose breach details is likely violating the BAA and the Breach Notification Rule. Document every request and refusal. Consult legal counsel. Consider filing a complaint with OCR. In the interim, assume the worst-case scenario for your risk assessment and notification decisions.
Execute current BAAs with every vendor that touches PHI. Conduct annual vendor risk assessments. Verify that vendors maintain their own compliance programs. Monitor breach databases for vendor incidents. Limit the PHI you share to what is minimally necessary. Patient Protect tracks all vendor relationships and flags compliance gaps automatically.
Vendor risk management
Automated BAA tracking, vendor risk assessments, and real-time breach monitoring across every business associate relationship. When a vendor is compromised, you know immediately — and you have the documentation to prove due diligence.
