Question: We were notified that there was a breach of HIPAA at one of the vendors we use. The vendor did follow proper protocol and written notices of the breach were sent to all of the employees. My question, is there any additional requirements for employers in this situation?
Answer from the experts at HR Hero:
If your vendor had a breach of protected health information in violation of the Health Insurance Portability and Accountability Act (HIPAA), it likely is sufficient for the vendor to provide the notification of the breach and follow the required protocol for the breach. It does not appear that the employer would have any further obligations.
The HIPAA Privacy Rule provides that, in general, a covered entity may not use or disclose an individual’s protected health information (PHI) without specific authorization, except as permitted or required by the Privacy Rule (45 CFR 164.502). Covered entities generally include healthcare providers, health plans, and healthcare clearinghouses, among others.
HIPAA was amended in 2009 to require notification by covered entities and their business associates of breaches of unsecured protected health information (UPHI) (42 USC 17932). Generally, a business associate is any person or entity that performs some function for a covered entity that involves handling PHI. If a covered entity discovers that UPHI that the entity accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses has been breached, the entity must notify each individual whose UPHI has been, or is reasonably believed by the entity to have been, accessed, acquired, or disclosed as a result of the breach.
A business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses UPHI must notify the covered entity if the business associate discovers such a breach of the privacy of the UPHI. The notice must identify each individual whose UPHI has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach.
So, it appears that the notice and disclosure requirements for a breach generally must be handled by the covered entity and its involved business associates that experienced the breach, not by the employer.