BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHI, Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412. 21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor. 25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency. 30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3 4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification. 7 3. Contractor’s notification shall include, to the extent possible: 9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach; 13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 (1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
Appears in 2 contracts
Samples: Contract for Provision of Services, Contract for Provision of Correctional Health Registry Staffing Services
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY HCA INFORMATION TECHNOLOGY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Xxxxx, 2nd Fl. Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx IT Security Officer 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa AnaSte. 1000 E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx Xxxxx Xxx, CA XX 00000 xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx Office: (000) 000-0000 31 County Privacy Officer atE-Mail: 32 33 34 35 36 37 2 3xxxxxxxxxxxx@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 2 contracts
Samples: Covid 19 Consulting Services Agreement, Covid 19 Vaccination Services Agreement
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI ,PHI by either party, Contractor the other party shall 18 notify County of the other such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer at: Xxxxx Xx, CHPC, CHC, CHP County Privacy Officer OCIT | CEO | SECURITY 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx Xxxxx Xxxxxxxxxxx (000) 000-0000 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 92701 xxxxxxxxxxxx@xxxxx.xxx Xxxxxxx X. Xxxx, General Counsel NaphCare, Inc. 0000 Xxxxxxxxxx Xxxx, Xxxxx 0000 Xxxxxxxxxx, Xxxxxxx 00000 Office: (000) 000-0000 31 County Privacy Officer at0000. E-Mail: 32 33 34 35 36 37 2 3Xxxx.xxxx@xxxxxxxx.xxx xxxxxxxxxxxxxxx@xxxxxxxx.xxx
4 a. ContractorEither party’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.. County of Orange Health Care Agency Page 32 MA-042-17011367
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to County of Orange Health Care Agency Page 33 MA-042-17011367 permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County the other party for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 2 contracts
Samples: Contract for Electronic Health Record System Maintenance and Support, Contract for Electronic Health Record System Maintenance and Support
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHI, Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. XxOfficer. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) 24 hours of the oral notification.. Xxxxxx Xxxxxxx, Chief Information Security Officer OCIT – Enterprise Privacy & Cybersecurity 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 00000 (000) 000-0000 Xxxxxx.Xxxxxxx@xxxx.xxxxx.xxx Xxxxx Xx, County Privacy Officer, CHPC, CHC, CHP OCIT – Enterprise Privacy and Cybersecurity 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 00000 (000) 000-0000 Xxxxx.xx@xxxx.xxxxx.xxx xxxxxxxxxxxxxx@xxxxx.xxx
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual and any governmental entities requiring notification at the sole discretion of the County. Such notification will contain the elements required in 45 CFR § 164.410 or applicable state law. Contractor agrees that the County will be given reasonable advance opportunity to review the proposed notice or other related communications to any individual or third party regarding the breach; the County may propose revised or additional content to the materials which will be given reasonable consideration by Contractor (or its agent).
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 2 contracts
Samples: Contract With Optumrx, Inc for Pharmacy Benefit Management and Claims Administration Program, Pharmacy Benefit Management and Claims Administration Program
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security at Xxxx Xxxxxxx, County Privacy Officer 000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (714) 834-3154 xxxxxxxx@xxxxx.xxx xxxxxxxxxxxxxx@xxxxx.xxx Or Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 Deputy County Privacy Officer at: 32 33 34 35 36 37 2 3000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (714) 834-4082 xxxx@xxxxx.xxx XXXXX@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) 24 hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 Breach, if known;
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if known;it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b. (1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Life and Accidental Death and Dismemberment Insurance Contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xxat Xxxx Xxxxxxx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3000 X. 0xx XxxxxxXxxxx Xxx, CA 92701 (714) 834-3154 tbullock@xxxxx.xxxxxxxxxxxxxxxxx@xxxxx.xxx Or Xxxxx Le, Deputy County Privacy Officer 000 X. 0xx XxxxxxXxxxx Xxx, CA 92701 (714) 834-4082 xxxx@xxxxx.xxxXXXXX@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) 24 hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur. notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY County Enterprise Privacy Officer & Cybersecurity HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP Xxxxx Xxxxxxxxxxx 0000 X. Xxxx Xx. Xxxxxxx Xxxxx Santa Ana., CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 0xx Xx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 92701 Santa Ana, CA 92701 Office: (000) 000-0000 31 County Privacy Officer at(000) 000-0000 E-Mail: 32 33 34 35 36 37 2 3xxxxx.xx@xxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Electronic Health Records System Maintenance and Support Services
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHI, Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately promptly to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. XxOfficer. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours 24 hours5 business days of the oral notification.. Xxxxxx Xxxxxxx, Chief Information Security Officer OCIT – Enterprise Privacy & Cybersecurity 0000 X. Xxxx Xxxxxx, 0xx Xxxxx Xxxxx Xxx, XX 00000 (000) 000-0000 Xxxxxx.Xxxxxxx@xxxx.xxxxx.xxx Or Xxxxx Xx, County Privacy Officer, CHPC, CHC, CHP OCIT – Enterprise Privacy and Cybersecurity 0000 X. Xxxx Xxxxxx, 0xx Xxxxx Xxxxx Xxx, XX 00000 (000) 000-0000 Xxxxx.xx@xxxx.xxxxx.xxx xxxxxxxxxxxxxx@xxxxx.xxx
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Website, or postal address.
4. County may require Contractor to provide notice to the Individual and any governmental entities requiring notification at the sole discretion of the County. Such notification will contain the elements required in 45 CFR § 164.410, if it is reasonable to do so under the circumstances or applicable state law. Contractor agrees that the County will be given reasonable advance opportunity to review the proposed notice or other related communications to any individual or third party regarding the breach; the County may propose revised or additional content to the materials which will be given reasonable consideration by Contractor (or its agent).
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph Eand as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County, to the maximum extent possible all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 promptlyas soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. To the extent the Breach of Unsecured PHI arises as a result of Contractor’s breach of this Business Associate Contract, Contractor shall bear all reasonable expenses or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Health Management Program Agreement
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHI, Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000714) 000834-0000 4082 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 92701 (000714) 000834-0000 3433 31 County Privacy Officer at: 32 33 34 35 36 37 2 3
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 (1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
Appears in 1 contract
Samples: Contract for Provision of Services
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xxat Xxxx Xxxxxxx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (714) 834-3154 xxxxxxxx@xxxxx.xxx xxxxxxxxxxxxxx@xxxxx.xxx Or Xxxxx Le, Deputy County Privacy Officer 000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (714) 834-4082 xxxx@xxxxx.xxx XXXXX@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Phlebotomy and Laboratory Testing Services Agreement
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor HASC shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor HASC as of the first 22 day on which such Breach is known to Contractor HASC or, by exercising reasonable diligence, 23 would have been known to ContractorHASC.
25 b. Contractor HASC shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of ContractorHASC, as determined by federal 28 common law of agency.
30 2. Contractor HASC shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xxat Xxxx Xxxxxxx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3000 X. 0xx XxxxxxXxxxx Xxx, CA 92701 (714) 834-3154 tbullock@xxxxx.xxxxxxxxxxxxxxxxx@xxxxx.xxx Or Xxxxx Le, Deputy County Privacy Officer 000 X. 0xx XxxxxxXxxxx Xxx, CA 92701 (714) 834-4082 xxxx@xxxxx.xxxXXXXX@xxxxx.xxx
4 a. ContractorHASC’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) 24 hours of the oral notification.
7 3. ContractorHASC’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor HASC to have been, accessed, acquired, used, 11 or disclosed during the Breach;; County of Orange Health Care Agency B-15 MA-042-1201042115011466
13 b. Any other information that County is required to include in the 14 notification to Individual under Individualunder 45 CFR §164.404 (c) at the time Contractor HASC is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what HASC is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additionalinformation, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require HASC to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that HASC is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, HASC shall have the burden of demonstrating that HASC made all notifications toCounty consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. HASC shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. HASC shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in noevent later than fifteen (15) calendar days after HASC’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. HASC shall continue to provide all additional pertinent information about the Breach toCounty as it may become available, in reporting increments of five (5) business days after the last report to County. HASC shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. HASC shall bear all expense or other costs associated with the Breach and shall reimburseCounty for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing County of Orange Health Care Agency B-16 MA-042-1201042115011466 the Breach.
Appears in 1 contract
Samples: Software License Agreement
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer DEPARTMENT INFORMATION TECHNOLOGY Xxxxx Xx, CHPC, CHC, CHP County Privacy Officer 0000 X. Xx. Xxxxxxx Xxxxx Xxxxx, 2nd Fl. Santa Ana, CA 92705 Office: (000) 000-0000 E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx Xxxxxx Xxxxxxx, Chief Information Security Officer OCIT – Enterprise Privacy & Cybersecurity 0000 X. Xxxx Xxxxxx, 0xx Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx.Xxx, 10th Floor Santa Ana, CA XX 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3Xxxxxx.Xxxxxxx@xxxx.xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll- free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Administrative Services Agreement
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.. Xxxx Xxxxxxx, County Privacy Officer 000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (714) 834-3154 xxxxxxxx@xxxxx.xxx Or Xxxxx Xx, Deputy County Privacy Officer 000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (714) 834-4082 xxxx@xxxxx.xxx
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY HCA INFORMATION TECHNOLOGY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Xxxxx, 2nd Fl. Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx IT Security Officer 000 X. Xxxxx Xxx Xxxx., 10th Floor Ste. 1000 E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx Santa Ana, CA 00000 92701 xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx Office: (000) 000-0000 31 County Privacy Officer atE-Mail: 32 33 34 35 36 37 2 3xxxxxxxxxxxx@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor CONTRACTOR shall 18 notify County COUNTY of such Breach, however both Parties parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor CONTRACTOR as of the first 22 day on which such Breach is known to Contractor CONTRACTOR or, by exercising reasonable diligence, 23 would have been known to ContractorCONTRACTOR.
25 b. Contractor CONTRACTOR shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of ContractorCONTRACTOR, as determined by federal 28 common law of agency.
30 2. Contractor CONTRACTOR shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. XxOfficer. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3
4 a. ContractorCONTRACTOR’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) 24 hours of the oral notification.. Xxxxxx Xxxxxxx, Chief Information Security Officer OCIT – Enterprise Privacy & Cybersecurity 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 (714) 567-7611 Xxxxxx.Xxxxxxx@xxxx.xxxxx.xxx Xxxxx Le, County Privacy Officer, CHPC, CHC, CHP OCIT – Enterprise Privacy and Cybersecurity 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 (714) 834-4082 Xxxxx.xx@xxxx.xxxxx.xxx xxxxxxxxxxxxxx@xxxxx.xxx
7 3. ContractorCONTRACTOR’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor CONTRACTOR to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County COUNTY is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor CONTRACTOR is required to 15 notify County COUNTY or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 (:
1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
4) A brief description of what CONTRACTOR is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. COUNTY may require CONTRACTOR to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the COUNTY.
5. In the event that CONTRACTOR is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, CONTRACTOR shall have the burden of demonstrating that CONTRACTOR made all notifications to COUNTY consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. CONTRACTOR shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. CONTRACTOR shall provide to COUNTY all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit COUNTY to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after CONTRACTOR’s initial report of the Breach to COUNTY pursuant to Subparagraph E.2 above.
8. CONTRACTOR shall continue to provide all additional pertinent information about the Breach to COUNTY as it may become available, in reporting increments of five (5) business days after the last report to COUNTY. CONTRACTOR shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to COUNTY, when such request is made by COUNTY.
9. If the Breach is the fault of CONTRACTOR, CONTRACTOR shall bear all expense or other costs associated with the Breach and shall reimburse COUNTY for all expenses COUNTY incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Contract for Administration of a Health Reimbursement Arrangement Program
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately promptly to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xxat Xxxx Xxxxxxx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (714) 834-3154 xxxxxxxxxxxxxx@xxxxx.xxx Or Xxxxx Le, Deputy County Privacy Officer 000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (714) 834-4082 xxxx@xxxxx.xxx XXXXX@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours 5 business days of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances and if the Breach was a result of a breach of this Business Associate Contract by Contractor, at the reasonable discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach. and:
(1) Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
(2) Contractor shall provide to County, to the maximum extent possible, all specific and pertinent information about the Breach, including the information listed in Section E.3.b. (1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 promptly, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
(3) Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
(4) To the extent the Breach of Unsecured PHI arises as a result of Contractor’s breach of this Business Associate Contract, Contractor shall bear all reasonable expenses or other costs associated with the Breach and shall reimburse County for all reasonable expenses County incurs in addressing the Breach, including costs of, notification,, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Health Management Program Contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer INFORMATION TECHNOLOGY Xxxxx Xx, CHPC, CHC, CHP County Privacy Officer 0000 X. Xx. Xxxxxxx Xxxxx Xxxxx, 2nd Fl. Santa Ana, CA 92705 Office: (000) 000-0000 E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx Xxxxx Xxxxxxxxxxx IT Security Officer 000 X. Xxxxx Xxx Xxxx., 10th Floor Ste. 1000 Santa Ana, CA 00000 92701 Office: (000) 000-0000 31 County Privacy Officer atE-Mail: 32 33 34 35 36 37 2 3xxxxxxxxxxxx@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Software Maintenance and Database Hosting Services Agreement
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: CEO OCIT | CEO | SECURITY Security County Privacy Officer HCA Information Technology Security Officer Xxxxx XxLe, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 92701 Office: (000714) 000834-0000 31 County Privacy Officer at3433 E-Mail: 32 33 34 35 36 37 2 3xxxxxxxxxxxx@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.within
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Language Interpretation and Translation Services Contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.. County Privacy Officer 000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (000) 000-0000 xxxxxxxxxxxxxx@xxxxx.xxx Or Xxxxx Xx, Deputy County Privacy Officer 000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (000) 000-0000 xxxx@xxxxx.xxx XXXXX@xxxxx.xxx
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer at: Xxxxx Xx, Interim Chief Information Security Officer, CHPC, CHC, CHP OCIT – Enterprise Security 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000714) 000834-4082 Xxxxx.Xx@xxxxx.xxxxx.xxx Xxxxx Xx, County Privacy Officer, CHPC, CHC, CHP OCIT – Enterprise Security 0000 X. Xx. Xxxxxxx Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 92705 (000714) 000834-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 34082 Xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxx@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) 24 hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 (1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;:
Appears in 1 contract
Samples: Contract Ma 017 20011143
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.. County Privacy Officer 000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (714) 834-3154 xxxxxxxxxxxxxx@xxxxx.xxx Or Xxxxx Xx, Deputy County Privacy Officer 000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (714) 834-4082 xxxx@xxxxx.xxx XXXXX@xxxxx.xxx
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP County Privacy Officer OCIT | CEO | SECURITY 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx Xxxxx Xxxxxxxxxxx (000) 000-0000 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 92701 xxxxxxxxxxxx@xxxxx.xxx
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: 32 33 34 35 36 37 2 3:
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than thirty (30) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available.. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. In the event Contractor is responsible for the Breach, Contractor shall bear all expense or other costs associated with it and shall reimburse County for all reasonable expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Lease Agreement
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately promptly to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3Xxxxx Le, County Privacy Officer OCIT/CEO/Security 0000 X. Xxxxx Xxxxxx Xxxxx Xxx, XX 00000 (714) 834-4082 E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four 24 hours three (243) hours business days of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. In the case of a breach of PHI caused by Contractor’s breach of this contract and if Contractor and County agree that notification is required by law in at least one jurisdiction in which individuals are impacted by a security breach, County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall bear all reasonable expense or other direct costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Employee Benefits Consulting and Actuarial Services Agreement
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer at: Xxxxx Xx, County Privacy Officer, CHPC, CHC, CHP OCIT – Enterprise Privacy & Cybersecurity 0000 X. Xx. Xxxxxxx Xxxx Xxxxxx, 0xx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Xxxxxx Xxxxxxx Chief Information Security Officer at0000 X. Xxxx Xx, 0xx Xxxxx Santa Ana, CA 92701 Office: 32 33 34 35 36 37 2 3(000) 000-0000 E-mail: Xxxxxx.xxxxxxx@xxxx.xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) 24 hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Regional Cooperative Agreement
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security at Xxxx Xxxxxxx, County Privacy Officer Or Xxxxx Xx, CHPC, CHC, CHP 0000 Deputy County Privacy Officer 000 X. Xx. Xxxxxxx Xxxxx 0xx Xxxxxx 000 X. 0xx Xxxxxx Santa Ana, CA 92705 Office: 92701 Santa Ana, CA 92701 (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 30000
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) 24 hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Claims Administration and Cost Management Services Agreement
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security at Xxxx Xxxxxxx, County Privacy Officer Or Xxxxx XxLe, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx Deputy County Privacy Officer 000 X. 0xx Xxxxxx 000 X. 0xx Xxxxxx Xxxxx Xxx Xxxx.Xxx, 10th Floor Santa AnaXX 00000 Xxxxx Xxx, CA XX 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3(000) 000-0000
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) 24 hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b. (1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Administrative Services Agreement
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer INFORMATION TECHNOLOGY Xxxxx Xx, CHPC, CHC, CHP 0000 County Privacy Officer 1500 X. Xx. Xxxxxxx Xxxxx Xxxxx, 2nd Fl. Santa Ana, CA 92705 Office: (000) 000-0000 E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx Xxxxx Xxxxxxxxxxx 000 IT Security Officer 200 X. Xxxxx Xxx Xxxx., 10th Floor Ste. 1000 Santa Ana, CA 00000 92701 Office: (000) 000-0000 31 County Privacy Officer atE-Mail: 32 33 34 35 36 37 2 3xxxxxxxxxxxx@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such BreachBreach within five (5) business days, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer INFORMATION TECHNOLOGY Xxxxx XxLe, CHPC, CHC, CHP County Privacy Officer 0000 X. Xx. Xxxxxxx Xxxxx Xxxxx, 2nd Fl. Santa Ana, CA 92705 Office: (000) 000-0000 E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx Xxxxx Xxxxxxxxxxx IT Security Officer 000 X. Xxxxx Xxx Xxxx., 10th Floor Ste. 1000 Santa Ana, CA 00000 92701 Office: (000) 000-0000 31 County Privacy Officer atE-Mail: 32 33 34 35 36 37 2 3xxxxxxxxxxxx@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Software License Agreement
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.. Xxxx Xxxxxxx, County Privacy Officer 000 X. 0xx XxxxxxXxxxx Xxx, CA 92701 (714) 834-3154 tbullock@xxxxx.xxxxxxxxxxxxxxxxx@xxxxx.xxx Or Xxxxx Le, Deputy County Privacy Officer 000 X. 0xx XxxxxxXxxxx Xxx, CA 92701 (714) 834-4082 xxxx@xxxxx.xxxXXXXX@xxxxx.xxx
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.within
7 3. Contractor’s notification shall include, to the extent possible:: twenty-four (24) hours of the oral notification. County of Orange Health Care Agency 27 MA-042-13010727 Software Maintenance and Support Services
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;reasonably
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this asthis information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach(such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additionalinformation, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notificationregulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in noevent later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach toCounty as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shallreimburse County for all expenses County incurs in addressing the Breach and consequences thereof, County of Orange Health Care Agency 28 MA-042-13010727 Software Maintenance and Support Services addressing the Breach. including costs of investigation, notification, remediation, documentation or other costs associated with
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHI, Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. XxOfficer. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) 24 hours of the oral notification.. Xxxxxx Xxxxxxx, Chief Information Security Officer OCIT – Enterprise Privacy & Cybersecurity 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 (714) 567-7611 Xxxxxx.Xxxxxxx@xxxx.xxxxx.xxx Xxxxx Xx, County Privacy Officer, CHPC, CHC, CHP OCIT – Enterprise Privacy and Cybersecurity 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 (714) 834-4082 Xxxxx.xx@xxxx.xxxxx.xxx xxxxxxxxxxxxxx@xxxxx.xxx
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual and any governmental entities requiring notification at the sole discretion of the County. Such notification will contain the elements required in 45 CFR § 164.410 or applicable state law. Contractor agrees that the County will be given reasonable advance opportunity to review the proposed notice or other related communications to any individual or third party regarding the breach; the County may propose revised or additional content to the materials which will be given reasonable consideration by Contractor (or its agent).
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Contract With Optumrx, Inc for Pharmacy Benefit Management and Claims Administration Program
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY HCA INFORMATION TECHNOLOGY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Xxxxx, 2nd Fl. Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx IT Security Officer 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa AnaSte. 1000 E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx Xxxxx Xxx, CA XX 00000 xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx Office: (000) 000-0000 31 County Privacy Officer atE-Mail: 32 33 34 35 36 37 2 3xxxxxxxxxxxx@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) County of Orange MA-042-22010828 day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County. County of Orange MA-042-22010828
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Contract for School Nurse Covid Case Investigation Support Services
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3xxxxxxxxxxxx@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Professional Services
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security at: Xxxx Xxxxxxx, County Privacy Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. 0xx Xxxxxx Xxxxx Xxx Xxxx.Xxx, 10th Floor Santa Ana, CA XX 00000 (000) 000-0000 31 xxxxxxxx@xxxxx.xxx xxxxxxxxxxxxxx@xxxxx.xxx Or Xxxxx Xx, Deputy County Privacy Officer at: 32 33 34 35 36 37 2 3000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (000) 000-0000 xxxx@xxxxx.xxx XXXXX@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) 24 hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY HCA INFORMATION TECHNOLOGY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Xxxxx, 2nd Fl. Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx IT Security Officer 000 X. Xxxxx Xxx Xxxx., 10th Floor Ste. 1000 E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx Santa Ana, CA 00000 92701 xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx Office: (000) 000-0000 31 County Privacy Officer atE-Mail: 32 33 34 35 36 37 2 3xxxxxxxxxxxx@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Contract for Clinical and Non Clinical Temporary Staffing Services
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor CONTRACTOR shall 18 notify County COUNTY of such Breach, however both Parties parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor CONTRACTOR as of the first 22 day on which such Breach is known to Contractor CONTRACTOR or, by exercising reasonable diligence, 23 would have been known to ContractorCONTRACTOR.
25 b. Contractor CONTRACTOR shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of ContractorCONTRACTOR, as determined by federal 28 common law of agency.
30 2. Contractor CONTRACTOR shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY below County Privacy Officer HCA Information Technology Security Officer contacts: CONTRACTOR’S notification may be oral, but shall be followed by written notification within 24 hours of the oral notification. Xxxxx Xx, CHPC, CHC, CHP County Privacy Officer 0000 X. Xx. Xxxxxxx Xxxxx Xxxxx, 2nd Fl. Santa Ana, CA 92705 Office: (000) 000-0000 E-mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx Xxxxx Xxxxxxxxxxx Information Security Officer 000 X. Xxxxx Xxx Xxxx.Xxxxxx Xx. Xxxxx Xxx, 10th Floor Santa Ana, CA XX 00000 Office: (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twentyXxxxxxxxXxxxxxxxx@xxxxx.xxx Xxxxx Xxxxx Chief Compliance Officer 000 X. 0xx Xxxxxx Xxx. 000 Xxxxx Xxx, XX 00000 Office: (000) 000-four (24) hours of the oral notification.0000 E-Mail: xxxxxx@xxxxx.xxx
7 3. Contractor’s CONTRACTOR’S notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor CONTRACTOR to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County COUNTY is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor CONTRACTOR is required to 15 notify County COUNTY or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 (1) :
i. A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
ii. A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
iii. Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
iv. A brief description of what CONTRACTOR is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
v. Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. COUNTY may require CONTRACTOR to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the COUNTY.
5. In the event that CONTRACTOR is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, CONTRACTOR shall have the burden of demonstrating that CONTRACTOR made all notifications to COUNTY consistent with this Paragraph F and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. CONTRACTOR shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. CONTRACTOR shall provide to COUNTY all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit COUNTY to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after CONTRACTOR’s initial report of the Breach to COUNTY pursuant to Subparagraph F.2 above.
8. CONTRACTOR shall continue to provide all additional pertinent information about the Breach to COUNTY as it may become available, in reporting increments of five (5) business days after the last report to COUNTY. CONTRACTOR shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to COUNTY, when such request is made by COUNTY.
9. If the Breach is the fault of CONTRACTOR, CONTRACTOR shall bear all expense or other costs associated with the Breach and shall reimburse COUNTY for all expenses COUNTY incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security at: Xxxx Xxxxxxx, County Privacy Officer 000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (714) 834-3154 xxxxxxxx@xxxxx.xxx xxxxxxxxxxxxxx@xxxxx.xxx Or Xxxxx Xx, CHPCDeputy County Privacy Officer 000 X. 0xx Xxxxxx Xxxxx Xxx, CHC, CHP XX 00000 (714) 834-4082 xxxx@xxxxx.xxx XXXXX@xxxxx.xxx County Privacy Officer 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 30000
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) 24 hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Xxxxxxxx; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHI, Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. XxOfficer. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four three (243) business days 24 hours of the oral notification.. Xxxxxx Xxxxxxx, Chief Information Security Officer OCIT – Enterprise Privacy & Cybersecurity 0000 X. Xxxx Xxxxxx, 0xx Xxxxx Xxxxx Xxx, XX 00000 (714) 567-7611 Xxxxxx.Xxxxxxx@xxxx.xxxxx.xxx Xxxxx Le, County Privacy Officer, CHPC, CHC, CHP OCIT – Enterprise Privacy and Cybersecurity 0000 X. Xxxx Xxxxxx, 0xx Xxxxx Xxxxx Xxx, XX 00000 (714) 834-4082 Xxxxx.xx@xxxx.xxxxx.xxx xxxxxxxxxxxxxx@xxxxx.xxx
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. In the case of a Breach of Unsecured PHI caused by Contractor’s breach of this contract and if Contractor and County agree that notification is required by law in at least one jurisdiction in which individuals are impacted by a security breach, County may require Contractor to provide notice to the Individual and any governmental entities requiring notification at the sole discretion of the County. Such notification will contain the elements required in 45 CFR § 164.410 or applicable state law. Contractor agrees that the County will be given reasonable advance opportunity to review the proposed notice or other related communications to any individual or third party regarding the breach; the County may propose revised or additional content to the materials which will be given reasonable consideration by Contractor (or its agent).
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including reasonable direct costs of investigation, notification, remediation, or documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Employee Benefits Consulting and Actuarial Services Contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHI, Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. XxOfficer. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four three (243) hours business days of the oral notification.. Xxxxxx Xxxxxxx, Chief Information Security Officer OCIT – Enterprise Privacy & Cybersecurity 0000 X. Xxxx Xxxxxx, 0xx Xxxxx Xxxxx Xxx, XX 00000 (714) 567-7611 Xxxxxx.Xxxxxxx@xxxx.xxxxx.xxx Xxxxx Le, County Privacy Officer, CHPC, CHC, CHP OCIT – Enterprise Privacy and Cybersecurity 0000 X. Xxxx Xxxxxx, 0xx Xxxxx Xxxxx Xxx, XX 00000 (714) 834-4082 Xxxxx.xx@xxxx.xxxxx.xxx xxxxxxxxxxxxxx@xxxxx.xxx
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. In the case of a Breach of Unsecured PHI caused by Contractor’s breach of this contract and if Contractor and County agree that notification is required by law in at least one jurisdiction in which individuals are impacted by a security breach, County may require Contractor to provide notice to the Individual and any governmental entities requiring notification. Such notification will contain the elements required in 45 CFR § 164.410 or applicable state law. Contractor agrees that the County will be given reasonable advance opportunity to review the proposed notice or other related communications to any individual or third party regarding the breach; the County may propose revised or additional content to the materials which will be given reasonable consideration by Contractor (or its agent).
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall reimburse County for reasonable direct costs of investigation, notification, remediation, or documentation costs associated with addressing the Breach.
Appears in 1 contract
Samples: Consulting Agreement
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security at Xxxx Xxxxxxx, County Privacy Officer 000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (714) 834-3154 xxxxxxxx@xxxxx.xxx xxxxxxxxxxxxxx@xxxxx.xxx Or Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 Deputy County Privacy Officer at: 32 33 34 35 36 37 2 3000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (714) 834-4082 xxxx@xxxxx.xxx XXXXX@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) 24 hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Pharmacy Benefits Manager Quality Assurance Services Contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.. County of Orange, Health Care Agency Software Maint. & Data Hosting Services Page 33 of 50
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer INFORMATION TECHNOLOGY Xxxxx XxLe, CHPC, CHC, CHP County Privacy Officer 0000 X. Xx. Xxxxxxx Xxxxx Xxxxx, 2nd Fl. Santa Ana, CA 92705 Office: (000) 000-0000 E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx Xxxxx Xxxxxxxxxxx IT Security Officer 000 X. Xxxxx Xxx Xxxx., 10th Floor Ste. 1000 Santa Ana, CA 00000 92701 Office: (000714) 000834-0000 31 County Privacy Officer at3433 E-Mail: 32 33 34 35 36 37 2 3xxxxxxxxxxxx@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm County of Orange, Health Care Agency Software Maint. & Data Hosting Services Page 34 of 50 resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such BreachBreach within five (5) business days, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer INFORMATION TECHNOLOGY Xxxxx XxLe, CHPC, CHC, CHP County Privacy Officer 0000 X. Xx. Xxxxxxx Xxxxx Xxxxx, 2nd Fl. Santa Ana, CA 92705 Office: (000) 000-0000 E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx Xxxxx Xxxxxxxxxxx IT Security Officer 000 X. Xxxxx Xxx Xxxx., 10th Floor Ste. 1000 Santa Ana, CA 00000 92701 Office: (000714) 000834-0000 31 County Privacy Officer at3433 E-Mail: 32 33 34 35 36 37 2 3xxxxxxxxxxxx@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Software License Agreement
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx XxLe, CHPC, CHC, CHP County Privacy Officer OCIT | CEO | SECURITY 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx Xxxxx Xxxxxxxxxxx (714) 834-3433 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 92701 xxxxxxxxxxxx@xxxxx.xxx
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: 32 33 34 35 36 37 2 3:
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably HCA ASR 20-000812 County of Orange Page 14 Health Care Agency believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, HCA ASR 20-000812 County of Orange Page 15 Health Care Agency including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Subordinate Agreement
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such BreachBreach within five (5) business days, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer INFORMATION TECHNOLOGY Xxxxx Xx, CHPC, CHC, CHP County Privacy Officer 0000 X. Xx. Xxxxxxx Xxxxx Xxxxx, 2nd Fl. Santa Ana, CA 92705 Office: (000) 000-0000 E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx Xxxxx Xxxxxxxxxxx IT Security Officer 000 X. Xxxxx Xxx Xxxx., 10th Floor Ste. 1000 Santa Ana, CA 00000 92701 Office: (000) 000-0000 31 County Privacy Officer atE-Mail: 32 33 34 35 36 37 2 3xxxxxxxxxxxx@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Software License Agreement
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHI, Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately promptly, and without any unreasonable delay, but in any event within ten (10) business days after discovery, to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer at: Xxxxx Xx, CHPC, CHC, CHP County Privacy Officer 0000 X. Xx. Xxxxxxx Xxxx Xxxxxx, 0xx Xxxxx Santa AnaXxxxx Xxx, CA 92705 XX 00000 Office: (000) 000-0000 Email: xxxxx.xx@xxxx.xxxxx.xxx xxxxxxxxxxxxxx@xxxxx.xxx Xxxxxx Xxxxxxxx, MBA, CISSP, Chief Information Security Officer 0000 X. Xxxx Xxxxxx, 0xx Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx.Xxx, 10th Floor Santa Ana, CA XX 00000 Office: (000) 000-0000 31 County Privacy Officer atEmail: 32 33 34 35 36 37 2 3Xxxxxx.Xxxxxxxx@xxxx.xxxxx.xxx
4 a. Contractor’s notification may be oral, oral but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four without unreasonable delay and in no event later than three (243) hours business days from date of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §§ 164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all direct expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation, or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Claims Administration Agreement
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security at Xxxx Xxxxxxx, County Privacy Officer 000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (714) 834-3154 xxxxxxxx@xxxxx.xxx xxxxxxxxxxxxxx@xxxxx.xxx Or Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 Deputy County Privacy Officer at: 32 33 34 35 36 37 2 3000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (714) 834-4082 xxxx@xxxxx.xxx XXXXX@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security at Xxxx Xxxxxxx, County Privacy Officer 000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 Or Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx Deputy County Privacy Officer 000 X. 0xx Xxxxxx Xxxxx Xxx Xxxx.Xxx, 10th Floor Santa Ana, CA XX 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3xxxxxxxx@xxxxx.xxx xxxxxxxxxxxxxx@xxxxx.xxx (000) 000-0000 xxxx@xxxxx.xxx XXXXX@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) 24 hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Xxxxxxxx; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b. (1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xxat Xxxx Xxxxxxx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (714) 834-3154 xxxxxxxx@xxxxx.xxx Or Xxxxx Le, Deputy County Privacy Officer 000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (714) 834-4082 xxxx@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) 24 hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b. (1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Administrative Services Agreement
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately immediatelypromptly to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security at Xxxx Xxxxxxx, County Privacy Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. 0xx Xxxxxx Xxxxx Xxx Xxxx.Xxx, 10th Floor Santa Ana, CA XX 00000 (000) 000-0000 31 xxxxxxxx@xxxxx.xxx xxxxxxxxxxxxxx@xxxxx.xxx Or Xxxxx Xx, Deputy County Privacy Officer at: 32 33 34 35 36 37 2 3000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (000) 000-0000 xxxx@xxxxx.xxx XXXXX@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours 24 hours5 business days of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole and if the Breach was a result of a breach of this Business Associate Contract by Contractor, at the reasonable discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach. and:
(1) Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
Appears in 1 contract
Samples: Health Management Program Contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3Xxxx Xxxxxxx, County Privacy Officer 000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (714) 834-3154 xxxxxxxx@xxxxx.xxx xxxxxxxxxxxxxx@xxxxx.xxx Or Xxxxx Le, Deputy County Privacy Officer 000 X. 0xx Xxxxxx Xxxxx Xxx, XX 00000 (714) 834-4082 xxxx@xxxxx.xxx XXXXX@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) 24 hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Samples: Employee Benefits Consulting and Actuarial Services Agreement
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security at: Xxxxx Le, Deputy County Privacy Officer Xxxxx Xx, CHPC, CHC, CHP 000 X. 0xx Xxxxxx 0000 X. Xxxx Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana0xx Xxxxx Xxxxx Xxx, CA XX 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3Xxxxx.xx@xxxx.xxxxx.xxx XXXXX@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) 24 hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
5. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
6. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
7. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
Appears in 1 contract
Samples: Contract for Off Site Data Storage and Retrieval Services
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.. Xxxx Xxxxxxx, County Privacy Officer 000 X. 0xx XxxxxxXxxxx Xxx, CA 92701 (714) 834-3154 tbullock@xxxxx.xxxxxxxxxxxxxxxxx@xxxxx.xxx Or Xxxxx Le, Deputy County Privacy Officer 000 X. 0xx XxxxxxXxxxx Xxx, CA 92701 (714) 834-4082 xxxx@xxxxx.xxxXXXXX@xxxxx.xxx
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000at County of Orange Health Care Agency 28 MA-042-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 311011483 13011452
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) 24 hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above. County of Orange Health Care Agency 29 MA-042-11011483 13011452 addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer at: Xxxxx Xx, CHPC, CHC, CHP Deputy County Privacy Officer 0000 X. Xxxx Xx. Xxxxxxx Xxxxx Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor 0xx Xxxxx Santa Ana, CA 00000 (000) 000-0000 31 County Privacy Officer at: 32 33 34 35 36 37 2 3Xxxxx.xx@xxxx.xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) 24 hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
5. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
6. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
7. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
Appears in 1 contract
Samples: Contract for Off Site Data Storage and Retrieval Services
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY County Enterprise Privacy Officer & Cybersecurity HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP Xxxxx Xxxxxxxxxxx 0000 X. Xxxx Xx. Xxxxxxx Xxxxx Santa Ana., CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 0xx Xx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 92701 Santa Ana, CA 92701 Office: (000) 000-0000 31 County Privacy Officer at(000) 000-0000 E-Mail: 32 33 34 35 36 37 2 3xxxxx.xx@xxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); DocuSign Envelope ID: 32AC7F38-40B4-4FD7-9103-57D01A9AA5C7
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY HCA INFORMATION TECHNOLOGY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP 0000 X. Xx. Xxxxxxx Xxxxx Xxxxx, 2nd Fl. Santa Ana, CA 92705 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx IT Security Officer 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa AnaSte. 1000 E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx Xxxxx Xxx, CA XX 00000 xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx Office: (000) 000-0000 31 County Privacy Officer atE-Mail: 32 33 34 35 36 37 2 3xxxxxxxxxxxx@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to County of Orange MA-042-21011330 Health Care Agency Page 41 of 49 Folder No. C032752 Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable County of Orange MA-042-21011330 Health Care Agency Page 42 of 49 Folder No. C032752 requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHIPHI , Contractor shall 18 notify County of such Breach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer Xxxxx Xx, CHPC, CHC, CHP INFORMATION TECHNOLOGY 0000 X. Xx. Xxxxxxx Xxxxx, 2nd Fl. 000 X. Xxxxx Xxx Xxxx., Ste. 1000 Santa Ana, CA 92705 Xxxxx Xxx, XX 00000 Office: (000) 000-0000 Xxxxx Xxxxxxxxxxx 000 X. Xxxxx Xxx Xxxx., 10th Floor Santa Ana, CA 00000 Office: (000) 000-0000 31 County Privacy Officer atE-Mail: 32 33 34 35 36 37 2 3xxxxx.xx@xxxxx.xxxxx.xxx E-Mail: xxxxxxxxxxxx@xxxxx.xxx
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: xxxxx.xx@xxxxx.xxxxx.xxx xxxxxxxxxxxxxxxxxxx@xxxxx.xxxxx.xxx xxxxxxxxxxxx@xxxxx.xxx 5 notification within twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: 18 :
(1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
