Business Associate Breach vs Violation: Cure Breaches, End Violations

Business Associate Breach vs Violation: Cure Breaches, End Violations

hipaa business associate breach vs violation: distinguish a curable contract breach from an ongoing violation and document the required response.

LakeRidge Team
July 16, 2026
8 min read

Share:

Schedule Your Free Compliance Consultation

Feeling overwhelmed by compliance requirements? Not sure where to start? Get expert guidance tailored to your specific needs in just 15 minutes.

Personalized Compliance Roadmap
Expert Answers to Your Questions
No Obligation, 100% Free

CMMC Phase 2 begins November 10, 2026.

In a hipaa business associate breach vs violation analysis, a breach is generally a failure to meet a contractual obligation that the covered entity should require the business associate to correct, while a violation is noncompliant conduct that must be stopped. Under HIPAA Security Rule § 164.314(a)(1), the practical verdict is not to debate labels indefinitely: when the covered entity knows of a pattern of material noncompliance, it must take reasonable steps to cure the breach or end the violation and, if those steps fail, terminate the arrangement if feasible or report the problem to the Secretary.

What does “hipaa business associate breach vs violation” mean in practice?

HIPAA does not supply a neat glossary definition that turns every vendor failure into either a “breach” or a “violation.” The terms appear together in § 164.314(a)(1), which addresses a covered entity’s duty after it knows of a pattern of activity or practice by a business associate that constitutes a material breach or violation of the associate’s obligation under the contract or other arrangement.

For an MSSP analyst, the useful operational distinction is based on the required response:

  • A material breach is usually a failure to perform a required contractual duty. The response is to cure it: remediate the missed duty, correct the affected condition, and verify that the cure is effective.
  • A violation is usually prohibited or ongoing conduct that conflicts with the business associate’s HIPAA or contractual obligations. The response is to end it: stop the practice, contain its effects, and ensure it cannot continue.

The difference matters because a vendor may successfully fix a historical failure without proving that an ongoing improper practice has stopped. Conversely, a vendor may stop an improper practice immediately but still need to cure the consequences of its prior failure. In many investigations, the same facts require both actions.

Do not confuse this use of “breach” with a reportable breach of unsecured protected health information under the HIPAA Breach Notification Rule. A material contract breach can exist without an impermissible disclosure of PHI, and a reportable PHI breach may also reveal a material breach of the business associate agreement.

What is a business associate contract breach?

A business associate contract breach occurs when the associate fails to perform a material term in the business associate agreement, MOU, or other qualifying arrangement. Under § 164.314(a)(2)(i), the agreement must require the business associate to implement reasonable and appropriate safeguards for ePHI, ensure its agents and subcontractors do the same, report security incidents of which it becomes aware, and allow termination when the covered entity determines that the associate violated a material contract term.

For example, a cloud document-management vendor’s BAA requires notification of security incidents within five business days. The vendor discovers repeated failed administrator logins and an exposed service account but does not tell the covered entity for 45 days. If the reporting obligation is material, the failure to report is a contract breach. A reasonable cure may include a written incident report, a root-cause analysis, corrected monitoring rules, updated escalation procedures, evidence of staff training, and a defined retest period.

The cure should be more than an apology or a revised policy. It should address the actual contractual failure and establish evidence that the business associate can now meet the obligation.

What is a business associate violation?

A business associate violation is conduct that contravenes an obligation under the BAA or other arrangement and continues until the associate stops it. A common example is a vendor continuing to allow workforce members to use shared administrator accounts for a platform holding ePHI, despite a contract requirement to maintain appropriate access safeguards. The associate must end the practice by disabling shared accounts, assigning named accounts, enforcing multifactor authentication, and reviewing access logs.

Consider Harborline Urgent Care, an 18-clinic organization with approximately 240 employees. Harborline uses eClinicalWorks for clinical records, Microsoft 365 for administrative communications, and a third-party revenue-cycle vendor that accesses patient billing work queues through a Citrix portal. During an MSSP review, Harborline finds that the vendor has allowed offshore subcontractor accounts to remain active for 90 days after assignments ended. The issue is not merely that an access review was missed; the vendor is continuing an unauthorized access practice. Harborline should require the vendor to disable the accounts immediately, identify all access performed, validate the subcontractor agreement, and provide evidence that its offboarding control is operating.

How do business associate breaches and violations compare?

Question Material Breach Violation
What is it? A failure to meet a material BAA, MOU, or other arrangement obligation. Conduct that conflicts with a HIPAA or contractual obligation, often continuing until stopped.
Primary response verb in § 164.314(a)(1) Cure the breach. End the violation.
Typical evidence Missed notification, incomplete risk analysis, absent subcontractor agreement, unperformed access review. Continued shared accounts, ongoing unauthorized disclosure workflow, persistent use of unencrypted ePHI transmission.
Example corrective action Provide the overdue incident report, execute missing subcontractor terms, complete and validate the required review. Disable shared accounts, stop the disclosure route, block insecure transmission, remove improper access.
What must the covered entity verify? That the missed obligation has been remediated and the corrective control now operates. That the prohibited conduct has ceased and cannot recur through the same workflow.
If remediation fails Terminate if feasible; otherwise report the problem to the Secretary. Terminate if feasible; otherwise report the problem to the Secretary.

Where do teams confuse breach and violation under this control?

The most common mistake is treating every vendor security finding as a one-time breach that can be closed when the vendor sends a corrective action plan. A plan is not a cure, and it does not prove that an ongoing violation ended. An MSSP analyst should distinguish between the vendor’s stated intention and objective evidence of corrected behavior.

For Harborline Urgent Care, suppose the revenue-cycle vendor responds that it has “reviewed all user accounts.” That statement does not demonstrate that inactive subcontractors lost access. Harborline’s analyst should request an export showing account names, roles, last login dates, disablement dates, and MFA status; compare it to the vendor’s current workforce roster; and sample Citrix and Microsoft Entra ID logs to verify that terminated accounts are no longer authenticating.

A second mistake is assuming that a single incident automatically triggers the § 164.314(a)(1) termination-or-reporting pathway. The regulation is focused on a covered entity that knew of a pattern of activity or practice constituting a material breach or violation. One event may still be serious, may create separate breach notification duties, and may justify contractual action. But analysts should document why the evidence does or does not show a pattern: repeated missed notices, recurring access-control failures, multiple affected customers, ignored prior corrective actions, or the same condition persisting across review periods.

A third mistake is overlooking subcontractors. The required business associate contract objectives in § 164.314(a)(2)(i) include ensuring that agents, including subcontractors, agree to implement reasonable and appropriate safeguards. If a transcription, hosting, billing, or support subcontractor handles ePHI without the required downstream arrangement, the prime business associate may have breached its agreement. If that subcontractor continues handling ePHI without required safeguards, the condition may also be an ongoing violation that must end.

What will an assessor expect the covered entity to show?

Assessors and investigators generally want a defensible chronology, not a generic vendor-management statement. For each suspected business associate breach-versus-violation issue, the covered entity should be able to show what it knew, when it knew it, why the issue was material, what pattern evidence existed, which reasonable cure or cessation steps it required, and how it validated the outcome.

2026-05-04  MSSP identifies 14 inactive vendor accounts with Citrix access
2026-05-05  Harborline sends written cure-and-cease notice under BAA section 7
2026-05-06  Vendor disables accounts and blocks shared administrator credential
2026-05-12  Vendor supplies Entra ID export, subcontractor roster, and access logs
2026-05-14  MSSP validates zero post-disablement authentications; samples 10 terminations
2026-06-15  Harborline performs follow-up review; no recurrence identified

The contract should also contain the required termination authority. Section 164.314(a)(2)(i)(D) requires that the arrangement authorize termination if the covered entity determines that the business associate violated a material term. If the business associate refuses, repeatedly fails remediation, or cannot stop the practice, the covered entity must evaluate whether termination is feasible. If it is not feasible, § 164.314(a)(1) requires reporting the problem to the Secretary, typically through the appropriate HHS process.

Government entities may use an MOU or other law-based arrangement under § 164.314(a)(2)(ii), provided it accomplishes the same business associate contract objectives. The enforcement logic does not disappear because the document is called an MOU rather than a BAA.

What is the bottom-line verdict?

The correct business associate breach vs. violation verdict is: cure a material failure, end ongoing improper conduct, and document both when the facts require both. Under HIPAA § 164.314(a)(1), the covered entity’s exposure is not limited to the vendor’s original error; it also depends on whether the covered entity recognized a material pattern and took reasonable, verifiable action before escalating to termination or reporting when remediation was unsuccessful.

For your next SMB customer vendor review, map each unresolved business associate finding to a specific cure, cessation action, validation artifact, and termination-feasibility decision.

 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 CMMC Level 1 Compliance App

CMMC Level 1 Compliance

Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
 NIST SP 800-171 & CMMC Level 2 Compliance App

NIST SP 800-171 & CMMC Level 2 Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ECC Compliance App

ECC Compliance

Become compliant, provide compliance services, or verify partner compliance with Essential Cybersecurity Controls (ECC – 2 : 2024) requirements.