Skip to main content
All playbooks
Playbook

A vendor that handles your PHI had a breach

Billing service, MSP, transcription vendor, answering service, cloud backup, marketing agency, interpreter service. The 60-day clock starts on you, the covered entity, the moment they tell you. Attribution, BAA enforcement, and patient notification are the next 60 days.

Last reviewed: May 2026

The first hour

  1. 1Get the BA's incident notification in writing. Email, letter, or fax — not a phone call. It must include the BA's discovery date, the data categories, the patient counts attributable to your practice, the BA's containment steps, and the BA's recommended notification posture.
  2. 2Note the exact moment you received the notification. Your 60-day patient-notification clock starts from the date you knew or should have known.
  3. 3Pull the BAA. Tag the clauses that matter: notification clock, data-categories disclosure, patient-list disclosure, patient-notification responsibility assignment, and indemnification.
  4. 4Open a written communication channel with the BA — email, with cc to your privacy officer and (if relevant) counsel. Phone is for speed; paper is for protection.
  5. 5Notify your cyber insurance carrier. Many policies cover BA-driven breaches as if they were your own.
  6. 6Ask the BA in writing for the affected patient list — not an aggregate count, the actual list with data elements per patient and date range. The BAA usually requires it; OCR will expect you to have it.
  7. 7Begin drafting your patient notification letter. The 60-day clock is a ceiling, not a target — week-two notifications land better than week-eight notifications with identical content.

Evidence to preserve

What not to delete, what to screenshot, what to log. Do this before recovery starts — most of it disappears as soon as systems are rebuilt.

  • The BA's written incident notification, with timestamps.
  • Your signed BAA and any amendments.
  • The affected patient list and data-element breakdown received from the BA.
  • The written four-factor risk assessment.
  • Copies of every patient notification letter, the mailing dates, OCR portal submission, and any state AG submissions. Six-year retention.

The HIPAA breach clock

The breach-notification clock starts at discovery. Federal HHS deadline is 60 days; many states are faster.
HHS / patient (federal)
September 5, 2026
60 days from discovery
CA / FL / others
August 6, 2026
30-day state floor
NY / others
August 21, 2026
45-day state floor

Breaches affecting 500+ patients in a single state are reported to HHS and media immediately, not within 60 days. Confirm state-specific timelines with counsel.

Regulator contacts

Frequently asked

Is it really our problem if the BA was the one breached?+

Yes. Under HIPAA, the covered entity and the business associate each have independent obligations. The BA is liable for the breach; the practice is liable for picking and managing the BA, and for notifying patients on time once the BA notifies you.

What if the BA refuses to send the patient list?+

The BAA usually requires it. Refusal is a BAA breach in its own right — escalate via your cyber insurer's panel attorney, document the refusal, and (in larger incidents) consider termination and civil action. Without the list, your notification will be incomplete and OCR will notice.

Can we let the BA notify our patients on their own?+

Only if the BAA explicitly assigns notification to them, and even then confirm in writing they have started and review the language. Patients almost always react better to a letter from their doctor's office than from a vendor they may not recognize.

Need to walk through this with someone?

Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.

This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.