The HITECH Act requires a business associate to notify the covered entity when it discovers a breach of unsecured PHI. Business associates, if they are acting as agents of the covered entity, must notify the covered entity as soon as possible after the discovery and no later than 60 days following the discovery of a breach.
The covered entity is then required to notify HHS of the breach within a certain allotted time, which is determined according to when the business associate (if acting as an agent of the covered entity) discovered the breach.
Covered entities are required to notify HHS immediately of any breach affecting more than 500 individuals. Covered entities must notify HHS of each breach affecting fewer than 500 individuals not later than 60 days after the end of the calendar year in which the breach was discovered (not when the breach occurred). If a breach occurred in December 2013 and was discovered in January 2014, the covered entity would have until 60 days into 2015 to report the breach to HHS.
It is very important that business associate contracts cover how and when the business associate will notify the covered entity of a suspected breach.