You receive an email from your EHR vendor on a Friday afternoon: “We are writing to inform you of a security incident that may have affected patient data stored in our system.” Your first reaction is relief that it was not your fault. Your second reaction should be alarm — because under HIPAA, a breach at your business associate is very much your problem. The notification obligations, liability exposure, and remediation requirements that follow a vendor breach are substantial, and how you respond in the first 72 hours can define the outcome for your practice.
Your Vendor Is a Business Associate — and That Creates Obligations
Under HIPAA, any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a business associate. Your EHR vendor is almost certainly your most significant business associate, given the volume and sensitivity of the data they handle. The relationship is governed by a Business Associate Agreement (BAA) under 45 CFR 164.502(e), which should define each party’s obligations in the event of a breach.
Critically, the HITECH Act made business associates directly liable for HIPAA compliance. That means your vendor faces its own penalties for the breach. But that does not eliminate your obligations as the covered entity. You remain responsible for:
- Breach notification to affected individuals (unless your BAA explicitly delegates this to the business associate)
- Notification to HHS (for breaches affecting 500+ individuals, within 60 days)
- Notification to media (for breaches affecting 500+ individuals in a single state or jurisdiction)
- Logging the breach in your annual breach report to HHS (for breaches affecting fewer than 500 individuals)
- Mitigation efforts to reduce the harm caused by the breach
The Notification Timeline
Under 45 CFR 164.404, your practice must notify affected individuals without unreasonable delay and no later than 60 calendar days from the date you discover the breach — or from the date you should have discovered it through the exercise of reasonable diligence. Your BAA should require the business associate to notify you of a breach within a specified timeframe (often 24-72 hours of discovery, though HIPAA requires no later than 60 days).
The clock starts when you know or should have known. If your vendor notified you promptly, your 60-day window begins on the date you received their notification. If your vendor delayed their notification, OCR may still hold you to the date you should have known — which is why BAA provisions requiring rapid notification and regular breach reporting are essential.
What Your BAA Should Cover
A well-drafted BAA is your primary protection when a vendor breach occurs. Key provisions that directly affect your liability include:
- Breach notification timeline: The BAA should require the business associate to notify you within a specific timeframe (ideally 24-48 hours) of discovering a breach or security incident.
- Notification responsibilities: Clearly define whether the covered entity or business associate is responsible for notifying affected individuals. In many BAAs, this defaults to the covered entity, but some vendors will agree to handle notification.
- Indemnification: The BAA may include provisions requiring the business associate to indemnify you for costs arising from a breach caused by their actions or omissions — including notification costs, credit monitoring, and regulatory fines.
- Cooperation requirements: The business associate must cooperate with your investigation, provide affected individual lists, and support your breach risk assessment.
- Security requirements: Specific security standards the business associate must maintain, along with audit rights allowing you to verify compliance.
If your BAA is a boilerplate document that your vendor provided and you signed without negotiation, it may not contain the protections you need. Review it now — not after the breach.
Conducting the Breach Risk Assessment
Not every security incident at a vendor constitutes a reportable breach. Under 45 CFR 164.402, you must conduct a four-factor risk assessment to determine whether there is a low probability that PHI was compromised:
- The nature and extent of the PHI involved
- The unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed
- The extent to which the risk to the PHI has been mitigated
If your risk assessment concludes that there is a low probability of compromise, notification may not be required. But the assessment itself must be documented thoroughly. OCR will scrutinize self-serving risk assessments that conclude no breach occurred without a genuine analysis of the four factors.
Immediate Steps When You Learn of a Vendor Breach
- Activate your incident response team. If you do not have one, assemble your Privacy Officer, Security Officer, and legal counsel immediately.
- Request a detailed incident report from the vendor. Get specifics: What happened? When? What data was affected? How many patients? What has the vendor done to contain the incident?
- Review your BAA. Identify your rights and the vendor’s obligations under the agreement.
- Conduct the breach risk assessment. Document the four-factor analysis using the information the vendor provides.
- Determine your notification obligations. If notification is required, begin drafting individual notification letters, HHS breach report, and media notice if applicable.
- Mitigate. Take reasonable steps to reduce harm — this may include offering credit monitoring to affected individuals, implementing additional access controls, or changing system credentials.
- Document everything. Every communication with the vendor, every internal decision, every action taken. Use your incident management system to create a complete record.
Can You Be Fined for Your Vendor’s Breach?
Yes, in certain circumstances. While the HITECH Act made business associates directly liable, OCR has also pursued covered entities for failures related to vendor management. Common bases for covered entity liability include:
- No BAA in place. If you never executed a BAA with the vendor, you have a standalone HIPAA violation regardless of the breach.
- Failure to conduct due diligence. If you selected a vendor without evaluating their security posture, OCR may find that you failed to implement reasonable safeguards.
- Failure to act on known risks. If you knew about security deficiencies at the vendor and did not act, your liability increases significantly.
- Untimely notification. If you delayed breach notification beyond the 60-day window, the notification failure is your violation regardless of who caused the breach.
Frequently Asked Questions
If my EHR vendor handles the breach notification, am I still responsible?
Ultimately, the covered entity is responsible for ensuring breach notification occurs in compliance with HIPAA. If your BAA delegates notification to the business associate, you should verify that notifications are sent correctly and within the required timeframe. If the vendor fails to notify, OCR will look to you as the covered entity.
Should I terminate my vendor relationship after a breach?
Not necessarily. HIPAA requires you to take reasonable steps to cure a breach of the BAA. If the vendor takes corrective action and the breach is remediated, continued use may be appropriate. However, if the vendor cannot or will not cure the problem, and ending the relationship is feasible, HIPAA expects you to do so. Document your decision-making process either way.
Does my malpractice insurance cover costs from a vendor’s data breach?
Standard medical malpractice policies typically do not cover data breach costs. Cyber liability insurance is a separate product that may cover breach notification expenses, credit monitoring, legal defense, and regulatory fines. If you do not have cyber liability coverage, this is a gap your risk assessment should address.
What if my vendor refuses to cooperate with my investigation?
Your BAA should require cooperation. If the vendor refuses, document every attempt to obtain information and consult with legal counsel about your options, which may include terminating the BAA, pursuing contractual remedies, or reporting the vendor’s non-cooperation to OCR as part of your breach report.
Part of our guide to
HIPAA ComplianceSee how GuardWell helps medical practices manage hipaa compliance end to end — checklists, policies, training, and audit-ready documentation in one platform.
Ready to simplify compliance?
GuardWell brings HIPAA, OSHA, OIG, and 7 more compliance modules into one affordable platform built for medical practices.
Start Free TrialRelated Articles
Understanding Business Associate Agreements Under HIPAA
Everything medical practices need to know about HIPAA Business Associate Agreements — who qualifies as a BA, what the agreement must include, and how to manage your vendor relationships.
HIPAAHIPAA Breach Notification: Rules, Timelines, and Penalties
A complete guide to HIPAA breach notification requirements — what constitutes a breach, notification timelines, how to report to OCR, and the penalties for non-compliance.
ComplianceDo I Need a BAA With My Cloud Fax, IT Company, or Answering Service?
If a vendor touches patient information on your behalf, you probably need a Business Associate Agreement. Here is how to identify which vendors require BAAs and what to do if you are missing them.