When a Business Associate Violates Its Agreement to Protect Phi

When a business agreement is formed to protect PHI or Protected Health Information, it is essential for both parties to adhere to the terms agreed upon. PHI is any identifiable information related to a patient’s health status, medical treatment, or payment. For this reason, it is protected under the Health Insurance Portability and Accountability Act (HIPAA).

If a business associate violates their agreement to protect PHI, it can have serious consequences for both parties. Here’s what you need to know about the breach and how to handle it.

What constitutes a breach of PHI agreement?

A breach is defined as an impermissible use or disclosure under the HIPAA guidelines. When a business associate fails to protect PHI, it can result from various reasons, such as human error, theft, or hacking. It is important to note that a breach does not have to be intentional for it to be considered a violation.

What are the consequences?

The consequences of a PHI breach can range from minor to severe, depending on the severity of the breach and how quickly it is reported and resolved. Whether it is accidental or intentional, a breach can result in significant financial and legal consequences.

The first consequence is financial. A company that violates HIPAA can be fined up to $1.5 million per year. Additionally, the business associate can face legal action from the affected patients or clients. This can be costly, time-consuming, and damaging to the reputation of your business.

The second consequence is reputational. The loss of trust from your clients can have long-term consequences on your business. Clients may also take legal action against the business associate, leading to unfavorable publicity and loss of business.

What to do if a business associate violates its agreement to protect PHI

If you suspect or discover that a business associate has violated its agreement to protect PHI, you should take immediate action to minimize the damage.

The first step is to review the business agreement and determine the extent of the breach. Assess the risks to the affected patients or clients, and take necessary measures to mitigate them. This may entail notifying those affected by the breach, providing credit monitoring, or offering other resources to help them protect their identity.

Next, take steps to address the root cause of the breach. Whether it is an internal system error, a third-party vendor issue, or a human error, identify and address the problem immediately to prevent future breaches.

Finally, report the breach as soon as possible to the appropriate authorities and ensure that all relevant parties are informed. This includes the affected patients or clients, the business associate, and the regulatory authorities.


As a business associate, it is essential to adhere to the terms of a PHI agreement to protect your clients’ sensitive information and avoid legal and financial penalties. If a breach of PHI occurs, take swift action to address the issue and mitigate the risks. By being proactive and transparent in your response, you can minimize the damage and maintain the trust of your clients.