At Online Tech, we made the decision to get an independent HIPAA audit across our company policies, procedures, facilities, equipment, physical safeguards, BAA, risk assessment, and security awareness training by a Certified HIPAA Security Specialist and recraft our BAA to be appropriate with the help of attorneys experienced in health care law.
Brian Balow and Tatiana Melnik from Dickinson Wright helped us craft this statement in our Business Associate Agreement:
2.5. Business Associate shall notify Client in writing of any Breach involving Unsecured PHI within five (5) business days of becoming aware of such Breach. All reports of Breaches of Unsecured PHI shall be made in compliance with HITECH Act § 13402 and the regulations issued thereunder.
A Breach will be treated as discovered as of the first day that such Breach is known or reasonably should have been known by Business Associate. Business Associate shall notify Client within seventy-two (72) hours of any suspected or actual Security Incident or breach of security, intrusion or unauthorized use or disclosure of PHI and/or any actual or suspected use or disclosure of data in violation of any applicable federal or state laws or regulations.