Submit your HIPAA questions to Editor Jaclyn Fitzgerald at firstname.lastname@example.org  and we will work with our experts to provide the information you need.
Q: If a business associate (BA) commits a breach, should it notify OCR or should the covered entity (CE) do so?
A: CEs are responsible for reporting breaches to OCR. You can delegate the reporting, but you must do so in writing. If your BA fails to report the breach, OCR will call you and not the BA because it’s your regulatory responsibility. Also, the Breach Notification Rule requires BAs to report all breaches of unsecure PHI to CEs. CEs are responsible for completing a four-factor risk assessment to determine what must be reported. This also may be delegated, but it remains CEs’ regulatory obligation.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA.  This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.