A vendor that handles your PHI had a breach
Billing service, MSP, transcription vendor, answering service, cloud backup, marketing agency, interpreter service. The 60-day clock starts on you, the covered entity, the moment they tell you. Attribution, BAA enforcement, and patient notification are the next 60 days.
The first hour
- 1Get the BA's incident notification in writing. Email, letter, or fax — not a phone call. It must include the BA's discovery date, the data categories, the patient counts attributable to your practice, the BA's containment steps, and the BA's recommended notification posture.
- 2Note the exact moment you received the notification. Your 60-day patient-notification clock starts from the date you knew or should have known.
- 3Pull the BAA. Tag the clauses that matter: notification clock, data-categories disclosure, patient-list disclosure, patient-notification responsibility assignment, and indemnification.
- 4Open a written communication channel with the BA — email, with cc to your privacy officer and (if relevant) counsel. Phone is for speed; paper is for protection.
- 5Notify your cyber insurance carrier. Many policies cover BA-driven breaches as if they were your own.
- 6Ask the BA in writing for the affected patient list — not an aggregate count, the actual list with data elements per patient and date range. The BAA usually requires it; OCR will expect you to have it.
- 7Begin drafting your patient notification letter. The 60-day clock is a ceiling, not a target — week-two notifications land better than week-eight notifications with identical content.
Evidence to preserve
What not to delete, what to screenshot, what to log. Do this before recovery starts — most of it disappears as soon as systems are rebuilt.
- The BA's written incident notification, with timestamps.
- Your signed BAA and any amendments.
- The affected patient list and data-element breakdown received from the BA.
- The written four-factor risk assessment.
- Copies of every patient notification letter, the mailing dates, OCR portal submission, and any state AG submissions. Six-year retention.
The HIPAA breach clock
Breaches affecting 500+ patients in a single state are reported to HHS and media immediately, not within 60 days. Confirm state-specific timelines with counsel.
Regulator contacts
- HHS OCR Breach Portal
- HHS Breach Notification Rule guidance
- State AG breach notification (varies by state)
- Your cyber insurer hotline: add your carrier's 24/7 IR phone number here and post it at the front desk. Most claims require notice within 72 hours.
Frequently asked
Is it really our problem if the BA was the one breached?+
Yes. Under HIPAA, the covered entity and the business associate each have independent obligations. The BA is liable for the breach; the practice is liable for picking and managing the BA, and for notifying patients on time once the BA notifies you.
What if the BA refuses to send the patient list?+
The BAA usually requires it. Refusal is a BAA breach in its own right — escalate via your cyber insurer's panel attorney, document the refusal, and (in larger incidents) consider termination and civil action. Without the list, your notification will be incomplete and OCR will notice.
Can we let the BA notify our patients on their own?+
Only if the BAA explicitly assigns notification to them, and even then confirm in writing they have started and review the language. Patients almost always react better to a letter from their doctor's office than from a vendor they may not recognize.
Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.
This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.
Related playbooks
Change Healthcare is the archetype. When the vendor is down or breached, the practice is still the covered entity in the eyes of OCR — and the patients still expect their refills.
The incident is contained. Now sequence the carrier-mandated IR vendor with the OCR portal, the state AG filings, and the patient notifications. Small practices stumble here on sequencing, not on the work itself.