Additional breach information
Plain English Translation
Business associates must provide the covered entity with all other information required for the covered entity's individual notification — including the type of PHI involved, who accessed it, and what mitigation steps were taken — at the time of notification or as soon as it becomes available.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Implement a basic incident response checklist that specifically requires capturing data types involved and mitigation steps for any third-party reporting.
Required Actions (scaleup)
- Establish secure, encrypted communication channels to share ongoing forensic investigation updates with covered entities as new breach details are discovered.
Required Actions (enterprise)
- Integrate automated ticketing and SOAR platforms with vendor management systems to track and continuously sync breach artifacts and forensic findings in real-time.
They must provide the identification of affected individuals and any other available information that the covered entity needs to include in patient notifications.
It requires them to notify the covered entity of the breach without unreasonable delay and provide specific details needed for the covered entity's individual notifications.
Additional information includes the types of PHI breached, a description of the incident, mitigation steps taken, and advice for individuals to protect themselves.
It must include a brief description of the breach, the types of PHI involved, steps individuals should take, what the organization is doing to investigate, and contact information.
The business associate must provide these details at the time of the initial breach notification or promptly thereafter as the information becomes available.
Yes, the business associate is legally required to promptly provide any newly discovered information related to the breach as the investigation continues.
Notices must explain how the breach occurred, the specific data compromised, mitigation efforts, and toll-free contact numbers for further assistance.
Notification must occur without unreasonable delay and absolutely no later than 60 calendar days after the exact date the breach is discovered.
The covered entity holds the ultimate legal responsibility for notifying affected individuals, relying on the details provided by the business associate.
Covered entities should maintain a centralized security incident log and meticulously record all updates, forensic reports, and communications received from the vendor. WatchDog Security's Compliance Center can help organize these records as compliance evidence so teams can show how breach information was collected, updated, and reviewed.
Additional breach details often arrive in stages as the investigation develops, so teams need a structured way to capture updates, timestamps, owners, and supporting records. WatchDog Security's Compliance Center can help centralize breach-related evidence, map required artifacts to HIPAA obligations, and maintain a clearer record of what information was received and when.
Covered entities depend on business associates to provide accurate and timely forensic details, which can be difficult to manage through ad hoc emails and spreadsheets. WatchDog Security's Vendor Risk Management can help maintain vendor records, assessment context, and follow-up tasks so breach communication obligations are easier to track during an active incident.
"A business associate provides the company, as a covered entity, with any other available information that the company is required to include in notification to the individual (described in 164.404(c)) at the time of the notification or promptly thereafter as information becomes available."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-05 | Compliance Content Team | Initial publication |

