Earlier this week, both Quest Diagnostics and LabCorp revealed that they were among the entities whose customers had their data compromised as part of a larger cyber breach that befell the billing and collections service American Medical Collection Agency (AMCA). Such data included customer's birth dates, addresses, phone numbers, date of service, and health provider and balance information.

In a news release, Quest indicated that the AMCA systems impacted by the breach contained information on approximately 11.9 million of their patients. Meanwhile, LabCorp filed a report with the Securities and Exchange Commission indicating that data from approximately 7.7 million of its customers was breached.

So what happens next? To be sure, the Health Insurance Portability and Accountability Act (HIPAA) regulates the healthcare industry's use of identifying information like patient names, date of birth, phone numbers and provider names. Still, when and where HIPAA comes into play when breaches happen at third parties isn't always so cut and dry.

“The ambiguity or the key kind of analysis is understanding the relationship and exactly what the vendor is doing for the covered entity,” said Ryan Blaney, chair of the privacy and data security practice at Cozen O'Connor.

Covered entities such as a hospital or lab could potentially maintain contracts with dozens of vendors or business associates, but HIPAA was not created with trash collectors in mind. The parameters of the act only encompass service providers who are performing a function that the covered entity is required to do under HIPAA, such as debt collection.

Iliana Peters, a shareholder at Polsinelli, said that at the end of the day, business associates that fall under the umbrella of HIPAA are liable if they disclose information in a way that is not allowed by the act's privacy rule, which requires appropriate safeguards to protect personal health information in addition to setting limits on uses and disclosures. They also have the responsibility of alerting the covered entities to the breach.

“Also if there's some kind of security safeguard that was implicated like they didn't patch their software [or] they didn't have malware protection, then the business associate would be liable,” said Peters.

Covered entities aren't entirely off the hook either, though. Stephanie Trunk, a partner at Arent Fox, pointed out that covered entities are still responsible for reporting and mitigating breaches even if they do occur at or because of a business associate.

“As these latest breaches illustrate, it's critical that covered entities review business associate HIPAA policies and practices, including technology solutions, to prevent breaches and unauthorized access by third parties,” Trunk said.

Still, the individual business associate agreements that exist between a covered entity and its vendor can throw some curveballs into the process. While HIPAA may designate covered entities responsible for notifying consumers impacted by a breach, it's not uncommon for such entities to negotiate provisions into their service agreements that would pass the baton back to the vendors.

“Just like contracts, there's leverage, and depending on the party you can require some additional things and you can specify—and hopefully you do specify—who's going to provide the notification because that can be costly,” Blaney said.