How long does a business associate have to notify you of a breach?

The correct answer is that a business associate must notify you of a breach within 60 days. This timeframe is mandated by the Health Insurance Portability and Accountability Act (HIPAA) regulations, which require business associates to report breaches of unsecured protected health information (PHI) without unreasonable delay and, in no case, later than 60 calendar days after the discovery of the breach. This requirement ensures timely communication regarding breaches, allowing covered entities to take necessary actions to mitigate any potential harm to affected individuals and maintain compliance with privacy regulations.

In this context, the other timeframes offered are not compliant with HIPAA regulations and therefore do not reflect the appropriate legal requirements established for breach notification. Understanding these timelines is crucial for ensuring that both covered entities and business associates handle breaches appropriately to protect patient information and maintain trust.