Business Associates Under the HITECH Act: Breach Notification and Enforcement Explained

Business Associate Definition

Under the HITECH Act and the HIPAA Privacy and Security Rules, a business associate is any person or organization that performs functions or provides services for a covered entity that involve the use or disclosure of Protected Health Information (PHI). Subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate are also business associates.

Who qualifies as a business associate

• Vendors supporting billing, claims processing, practice management, or pharmacy benefit administration.
• IT service providers, cloud storage, data centers, email gateways, eFax, and data analytics platforms handling PHI.
• Shredding, document management, e-prescribing gateways, health information exchanges, and consultants accessing PHI.

Who does not qualify

• Members of a covered entity’s workforce (employees, volunteers).
• Entities acting as a mere conduit that transmit data without routine access, and organizations handling properly de-identified information.

Foundational requirements for HIPAA Compliance

• Execute a business associate agreement (BAA) with each covered entity and subcontractor that touches PHI.
• Implement administrative, physical, and technical safeguards for ePHI aligned to the Security Rule.
• Limit uses and disclosures to the minimum necessary and to the purposes permitted by HIPAA and your BAA.

Breach Notification Requirements

The HIPAA Breach Notification Rule requires prompt action when unsecured PHI is compromised. A breach is presumed unless you can demonstrate through a documented Risk Assessment that there is a low probability the PHI has been compromised.

What counts as a breach

• Acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule.
• Exceptions include: unintentional access by an authorized person acting in good faith; inadvertent disclosure within the same entity; and disclosures where you reasonably believe the recipient could not retain the information.
• PHI encrypted or destroyed in accordance with federal guidance is not “unsecured,” so breach notification typically is not required.

Risk Assessment you must document

• Nature and extent of PHI involved, including identifiers and likelihood of re-identification.
• Unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• Extent to which the risk has been mitigated (e.g., immediate retrieval, valid destruction confirmations).

Timing and content of a business associate’s notice

• Notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery of the breach.
• Discovery occurs on the first day the breach is known or should reasonably have been known through the exercise of reasonable diligence.
• Provide, to the extent possible, the identities of affected individuals and available details the covered entity needs to notify them (dates, description, types of PHI involved, and mitigation steps).

Documentation

• Maintain written records of your risk assessment, incident facts, notifications sent, and corrective actions for at least six years.
• Test escalation procedures and practice tabletop exercises so you can meet the 60-day outer deadline.

Covered Entity Notification Obligations

After a business associate reports a breach, the covered entity is responsible for notifying affected individuals and regulators unless the BAA delegates notice to the business associate. The same 60-day outer limit from the date of discovery applies to individual notices, and notification must be made without unreasonable delay.

Who must be notified

• Individuals: Each affected person must receive written notice.
• Department of Health and Human Services: For breaches affecting 500 or more individuals, the covered entity must notify HHS contemporaneously with individual notice; for fewer than 500, the covered entity logs and reports to HHS no later than 60 days after the end of the calendar year.
• Media: If 500 or more residents of a single state or jurisdiction are affected, the covered entity must notify prominent media in that area.

How to notify

• First-class mail to the individual’s last known address, or email if the individual has agreed to electronic notice.
• If fewer than 10 addresses are outdated, use an alternative means (e.g., phone). If 10 or more are outdated, provide substitute notice (such as a website posting or major media notice) for at least 90 days and include a toll-free number.

What the notice must include

• A brief description of what happened, including dates of the breach and discovery.
• Types of PHI involved (for example, names, addresses, Social Security numbers, diagnoses, or treatment information).
• Steps individuals should take to protect themselves.
• What the covered entity (or business associate) is doing to investigate, mitigate harm, and prevent recurrence.
• Contact methods for questions (toll-free number, email, or postal address).

Direct Liability of Business Associates

Business associates are directly liable for compliance failures under HIPAA and the HITECH Act, not only for violating their BAAs. This includes meeting Security Rule obligations and specific Privacy Rule responsibilities assigned to business associates.

Your direct obligations

• Implement Security Rule safeguards and conduct ongoing risk analysis for ePHI.
• Use and disclose PHI only as permitted by HIPAA and your BAA, and apply the minimum necessary standard.
• Report breaches of unsecured PHI to the covered entity within required timeframes.
• Provide access to ePHI in a designated record set when requested by the covered entity for an individual’s access right.
• Ensure subcontractors that handle PHI execute BAAs and adhere to the same protections.
• Make records available to the Department of Health and Human Services for compliance investigations and audits.
• Maintain required documentation and cooperate with corrective action plans.

Common pitfalls to avoid

• Storing PHI with a vendor lacking a signed BAA or insufficient safeguards.
• Delaying internal incident escalation, which compresses the 60-day window.
• Failing to document the risk assessment supporting a “no breach” determination.

Enforcement and Penalties under the HITECH Act

The Office for Civil Rights within the Department of Health and Human Services enforces the HIPAA Privacy, Security, and Breach Notification Rules. State Attorneys General may also bring civil actions, and the Department of Justice can pursue criminal cases for certain wrongful disclosures.

How penalty enforcement works

• OCR investigations may result in resolution agreements with corrective action plans, monitoring, and civil monetary penalties.
• Penalties follow a four-tier structure based on culpability (from lack of knowledge to willful neglect not corrected) and are assessed per violation with annual caps, adjusted for inflation.
• Aggravating and mitigating factors include the number of individuals affected, duration, harm caused, cooperation, and implementation of recognized security practices.

Mitigation strategies that reduce risk

• Maintain an enterprise risk analysis and risk management program aligned to the Security Rule.
• Encrypt PHI at rest and in transit consistent with federal guidance to avoid “unsecured PHI.”
• Train your workforce routinely, test incident response, and practice breach drills.
• Regularly review BAAs and vendor security to ensure downstream compliance.

Conclusion

As a business associate, you are squarely within HIPAA Compliance obligations: safeguard PHI, assess incidents quickly, notify covered entities on time, and document everything. Understanding the Breach Notification Rule, your direct liabilities, and how penalty enforcement works positions you to respond decisively and reduce legal, operational, and reputational risk.

FAQs

What is the definition of a business associate under the HITECH Act?

A business associate is a person or organization that performs services or functions for a covered entity involving the use or disclosure of Protected Health Information. Subcontractors that handle PHI on a business associate’s behalf are also business associates and must meet the same requirements.

How soon must a business associate notify a breach?

You must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery of a breach. Your BAA may require even faster internal reporting, so build processes that allow same-day escalation and rapid fact gathering.

What are the penalties for non-compliance with the HITECH Act?

Penalties range across four tiers based on culpability and may include corrective action plans, monitoring, and significant civil monetary penalties per violation with annual caps. In egregious cases, state civil actions or federal criminal enforcement may also apply.

Who enforces the breach notification requirements?

The Office for Civil Rights at the Department of Health and Human Services enforces the HIPAA Breach Notification Rule, with State Attorneys General empowered to bring civil actions where appropriate.