HIPAA Breach Notification When a Business Associate Is Involved

By BAA Generator Editorial  ·  Published Apr 19, 2026  ·  Last reviewed Apr 19, 2026  ·  6 min read

When a business associate experiences a breach of PHI, the notification obligations flow through a chain: BA to covered entity to individuals and OCR. Each link in the chain has specific timing and content requirements. Understanding this chain — and how your BAA governs it — is essential for both covered entities and business associates. For foundational context, see what a BAA requires of business associates.

How BAA Breach Notification Works (the Chain)

The HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) creates a tiered notification structure when a BA discovers a breach:

The covered entity, not the business associate, is responsible for notifying affected individuals. This is why the BA-to-CE notification timeline matters so much — if the BA uses its full 60-day allowance, the CE may have very little time to assess, prepare, and send its own notifications.

BA to Covered Entity: What Must Be Included in the Notification

Under 45 CFR § 164.410(c), a business associate's breach notification to the covered entity must include, to the extent possible:

• Identification of individuals — the identity of each individual whose PHI was or is reasonably believed to have been accessed, acquired, used, or disclosed during the breach
• Description of the breach — a brief description of what happened, including the date of the breach and the date of discovery (if known)
• PHI types involved — a description of the types of unsecured PHI involved in the breach (e.g., full name, Social Security number, date of birth, diagnosis codes)
• Individual protective actions — any steps individuals should take to protect themselves from potential harm resulting from the breach
• BA's response actions — a brief description of what the BA is doing to investigate the breach, mitigate harm to individuals, and protect against further breaches
• Contact information — contact procedures for individuals (and the CE) to ask questions or learn additional information

If the BA does not know the identity of all affected individuals at the time of notification, it must notify the CE of the breach and provide the list of individuals when known (or within 60 days of discovery). A partial notification within 60 days satisfies the requirement even if the complete individual list follows later.

Covered Entity's Downstream Obligations After a BA Breach

When the CE receives a breach notification from its BA, the CE's own notification obligations begin running from the date the CE is deemed to have discovered the breach. Under HIPAA, a BA's discovery of a breach is imputed to the CE from the date the BA discovers it — meaning the CE's clock does not start fresh when the BA notifies it. It starts from when the BA discovered the breach.

This creates a practical compliance problem: if a BA discovers a breach on Day 1 but waits 55 days to notify the CE, the CE has only 5 days remaining to notify individuals before the 60-day statutory deadline. This is the core reason to negotiate a 15–30 day BA notification provision in your BAA. See our guide on BAA negotiation for how to approach this provision.

The CE's obligations after receiving BA notification include:

• Conducting or completing a breach risk assessment if not already done by the BA
• Determining whether the breach is subject to an exception (e.g., unintentional internal access, inadvertent disclosure between authorized persons, good faith belief the recipient could not retain the information)
• Notifying affected individuals by first class mail (or email if individuals have agreed) at their last known address
• If 10 or more individuals cannot be contacted by mail, posting a notice on the CE's website or in major print/broadcast media
• Notifying OCR via the HHS breach reporting portal
• If 500+ individuals in a state or jurisdiction are affected, notifying prominent media outlets in that state

The 60-Day BA Notification Requirement (and Why Your BAA Should Require Less)

HIPAA's 60-day BA notification deadline is a ceiling, not a target. It was established as a statutory maximum in the HITECH Act — the longest legally permissible delay, not the appropriate delay for a functioning compliance program.

Consider what the 60-day maximum looks like in practice for a CE:

• BA discovers breach on January 1
• BA notifies CE on February 28 (59 days later, within the 60-day maximum)
• CE's 60-day notification deadline to individuals was February 28 — the same day the CE found out
• Result: the CE is already at or past its notification deadline when it first learns of the breach

This scenario is precisely why well-drafted BAAs specify 15–30 day BA notification requirements. A BA that discovers a breach and notifies the CE within 15 days gives the CE 45 days to assess, prepare materials, and notify individuals — a workable window for a real-world compliance response.

What Happens When a BA Fails to Notify

If a BA fails to notify the CE within the required timeframe (whether the BAA's contractual timeline or HIPAA's 60-day maximum), several consequences follow:

• The BA has violated its BAA obligations — a material breach of the agreement that may trigger the CE's termination rights
• The BA has violated 45 CFR § 164.410 independently — OCR can take enforcement action against the BA directly
• The CE's notification obligations are not paused by the BA's failure — if the CE learns of the breach through other means (media, regulators, affected individuals), the CE's own notification clock runs from that discovery date
• The CE should send a formal written demand to the BA for breach notification and all required details

Document all communications with a BA following a breach. The CE may need to proceed with its own notification using incomplete information if the BA is unresponsive.

Frequently Asked Questions

How long does a business associate have to report a breach?

Under 45 CFR § 164.410, a business associate must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovering the breach. The BA is deemed to have discovered the breach when any employee, officer, or agent (other than the person who committed the breach) knew or would have known with reasonable diligence. Well-negotiated BAAs require 15–30 days — not the full 60.

What must a BA include in a breach notification to a covered entity?

Under 45 CFR § 164.410(c): identity of affected individuals (or what is known at the time), description of what happened and when, types of PHI involved, steps individuals should take to protect themselves, what the BA is doing to investigate and mitigate, and contact information for further questions. The BA must provide the individual list when known if not available at initial notification.

What if the business associate caused the breach but won't notify?

Send a written demand per the BAA's notification provisions. If the BA remains unresponsive, the CE must proceed with its own breach assessment using whatever information is available — the BA's failure to notify does not pause the CE's obligations. Document all communication attempts. The CE should also evaluate terminating the BA relationship under the BAA's termination-for-cause provisions.