Question: If we think we may have breached a particular patient’s protected health information (PHI), do we just have to send them a notice of the incident? And if one of our business associates (BAs) was the cause of the breach, do we have to do anything, or do the same requirements not apply to BAs? Tennessee Subscriber Answer: First, we’ll address the first part of your question. Notifying patients after a breach is paramount, and the disclosure must include particular elements outlined by the feds in HIPAA. The notification must have the following: As for the second part of your question, BAs, just like your practice, “have the burden of demonstrating that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach,” cautions OCR guidance. Check out the direct liability of BAs at www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html.