Common use of Breach Notification Obligations of the Business Associate Clause in Contracts

Breach Notification Obligations of the Business Associate. In the event that the Business Associate discovers a Breach of Unsecured Protected Health Information, the Business Associate agrees to take the following measures immediately (i.e., within 72 hours) after the Business Associate first discovers the incident: a. To notify the Covered Entity of any Breach. Such notice by the Business Associate shall be provided without unreasonable delay, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. For purposes of this BAA, the Business Associate is deemed to have discovered the Breach as of the first day on which such Breach is known to the Business Associate or by exercising reasonable diligence, would have been known to the Business Associate, including any person, other than the Individual committing the Breach, that is a workforce member or agent of the Business Associate; b. To include to the extent possible the identification of the Individuals whose Unsecured Protected Health Information has been, or is reasonably believed to have been, the subject of a Breach; c. To complete and submit the appropriate Information Security Data Breach Incident Report form identified in attachment A; and d. To draft a letter for the Covered Entity to utilize to notify the Individuals that their Unsecured Protected Health Information has been, or is reasonably believed to have been, the subject of a Breach. The draft letter must include, to the extent possible: i. A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; ii. A description of the types of Unsecured Protected Health Information that were involved in the Breach (such as full name, Social Security Number, date of birth, home address, account number, disability code, or other types of information that were involved); iii. Any steps the Individuals should take to protect themselves from potential harm resulting from the Breach; iv. A brief description of what the Covered Entity and the Business Associate are doing to investigate the Breach, to mitigate harm, and to protect against any further Breaches; and v. Contact procedures for Individuals to ask questions or learn additional information, which shall include Covered Entity contact information, including a toll-free telephone number, an e-mail address, web site, or postal address.

Breach Notification Obligations of the Business Associate. In the event that the Business Associate discovers a Breach of Unsecured Protected Health Information, the Business Associate agrees to take the following measures immediately (i.e., within 72 hours) after the Business Associate first discovers the incident: a. To notify the Covered Entity of any Breach. Such notice by the Business Associate shall be provided without unreasonable delay, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. For purposes of this BAA, the Business Associate is deemed to have discovered the Breach as of the first day on which such Breach is known to the Business Associate or by exercising reasonable diligence, would have been known to the Business Associate, including any person, other than the Individual committing the Breach, that is a workforce member or agent of the Business Associate; b. To include to the extent possible the identification of the Individuals whose Unsecured Protected Health Information has been, or is reasonably believed to have been, the subject of a Breach; c. To complete and submit the appropriate Information Security Data Breach Incident Report form identified in attachment Alocated on the Agency’s website at xxxx://xxx.xxx.xxxxx.xx.xx/Consumers/Health/HIPAA/Home.html; and d. To draft a letter for the Covered Entity to utilize to notify the Individuals that their Unsecured Protected Health Information has been, or is reasonably believed to have been, the subject of a Breach. The draft letter must include, to the extent possible: i. A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; ii. A description of the types of Unsecured Protected Health Information that were involved in the Breach (such as full name, Social Security Number, date of birth, home address, account number, disability code, or other types of information that were involved); iii. Any steps the Individuals should take to protect themselves from potential harm resulting from the Breach; iv. A brief description of what the Covered Entity and the Business Associate are doing to investigate the Breach, to mitigate harm, and to protect against any further Breaches; and v. Contact procedures for Individuals to ask questions or learn additional information, which shall include Covered Entity contact information, including a toll-free telephone number, an e-mail address, web site, or postal address.

Breach Notification Obligations of the Business Associate. In the event that the Business Associate discovers a Breach of Unsecured Protected Health Information, the Business Associate agrees to take the following measures immediately (i.e., within 72 hours) 5 business days after the Business Associate first discovers the incident: a. To notify the Covered Entity of any Breach. Such notice by the Business Associate shall be provided without unreasonable delay, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. For purposes of this BAA, the Business Associate is deemed to have discovered the Breach as of the first day on which such Breach is known to the Business Associate or by exercising reasonable diligence, would have been known to the Business Associate, including any person, other than the Individual committing the Breach, that is a workforce member or agent of the Business Associate; b. To include to the extent possible the identification of the Individuals whose Unsecured Protected Health Information has been, or is reasonably believed to have been, the subject of a Breach; c. To complete and submit the appropriate Information Security Data Breach Incident Report form identified located on the Agency’s website as set forth in attachment A; andExhibit A. d. To draft a letter for the Covered Entity and provide written notification to utilize to notify the Individuals that their Unsecured Protected Health Information has been, or is reasonably believed to have been, the subject of a Breach. The draft letter must include, to the extent possible: i. A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; ii. A description of the types of Unsecured Protected Health Information that were involved in the Breach (such as full name, Social Security Number, date of birth, home address, account number, disability code, or other types of information that were involved); iii. Any steps the Individuals should take to protect themselves from potential harm resulting from the Breach; iv. A brief description of what the Covered Entity and the Business Associate are doing to investigate the Breach, to mitigate harm, and to protect against any further Breaches; and, v. Contact procedures for Individuals to ask questions or learn additional information, which shall include Covered Entity contact information, including a toll-free telephone number, an e-mail address, web site, or postal address.

Breach Notification Obligations of the Business Associate. In the event that the Business Associate discovers a Breach of Unsecured Protected Health Information, the Business Associate agrees to take the following measures immediately (i.e., within 72 hours) after the Business Associate first discovers the incident: a. To notify the Covered Entity of any Breach. Such notice by the Business Associate shall be provided without unreasonable delay, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. For purposes of this BAA, the Business Associate is deemed to have discovered the Breach as of the first day on which such Breach is known to the Business Associate or by exercising reasonable diligence, would have been known to the Business Associate, including any person, other than the Individual committing the Breach, that is a workforce member or agent of the Business Associate; b. To include to the extent possible the identification of the Individuals whose Unsecured Protected Health Information has been, or is reasonably believed to have been, the subject of a Breach; c. To complete and submit the appropriate Information Security Data Breach Incident Report form identified in attachment Alocated on the Agency’s website at xxxxx://xxx.xxxx.xxx/hippa/privacy-forms; and d. To draft a letter for the Covered Entity to utilize to notify the Individuals that their Unsecured Protected Health Information has been, or is reasonably believed to have been, the subject of a Breach. The draft letter must include, to the extent possible: i. A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; ii. A description of the types of Unsecured Protected Health Information that were involved in the Breach (such as full name, Social Security Number, date of birth, home address, account number, disability code, or other types of information that were involved); iii. Any steps the Individuals should take to protect themselves from potential harm resulting from the Breach; iv. A brief description of what the Covered Entity and the Business Associate are doing to investigate the Breach, to mitigate harm, and to protect against any further Breaches; and v. Contact procedures for Individuals to ask questions or learn additional information, which shall include Covered Entity contact information, including a toll-free telephone number, an e-mail address, web site, or postal address.

Breach Notification Obligations of the Business Associate. In the event that the Business Associate discovers a Breach of Unsecured Protected Health Information, the Business Associate agrees to take the following measures immediately (i.e., within 72 hours) after the Business Associate first discovers the incident: a. i) To notify the Covered Entity of any Breach. Such notice by the Business Associate shall be provided without unreasonable delay, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. For purposes of this BAA, the Business Associate is deemed to have discovered the Breach as of the first day on which such Breach is known to the Business Associate or by exercising reasonable diligence, would have been known to the Business Associate, including any person, other than the Individual committing the Breach, that is a workforce member or agent of the Business Associate; b. ii) To include to the extent possible the identification of the Individuals whose Unsecured Protected Health Information has been, or is reasonably believed to have been, the subject of a Breach; c. iii) To complete and submit the appropriate Information Security Data Breach Incident Report form identified in attachment A; and d. iv) To draft a letter for the Covered Entity to utilize to notify the Individuals that their Unsecured Protected Health Information has been, or is reasonably believed to have been, the subject of a Breach. The draft letter must include, to the extent possible: i. a) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; ii. b) A description of the types of Unsecured Protected Health Information that were involved in the Breach (such as full name, Social Security Number, date of birth, home address, account number, disability code, or other types of information that were involved); iii. c) Any steps the Individuals should take to protect themselves from potential harm resulting from the Breach; iv. d) A brief description of what the Covered Entity and the Business Associate are doing to investigate the Breach, to mitigate harm, and to protect against any further Breaches; and v. e) Contact procedures for Individuals to ask questions or learn additional information, which shall include Covered Entity contact information, including a toll-free telephone number, an e-mail address, web site, or postal address.

Breach Notification Obligations of the Business Associate. In the event that the Business Associate discovers a Breach of Unsecured Protected Health Information, the Business Associate agrees to take the following measures immediately (i.e., within 72 hours) after the Business Associate first discovers the incident: a. To notify the Covered Entity of any Breach. Such notice by the Business Associate shall be provided without unreasonable delay, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. For purposes of this BAA, the Business Associate is deemed to have discovered the Breach as of the first day on which such Breach is known to the Business Associate or by exercising reasonable diligence, would have been known to the Business Associate, including any person, other than the Individual committing the Breach, that is a workforce member or agent of the Business Associate; b. To include to the extent possible the identification of the Individuals whose Unsecured Protected Health Information has been, or is reasonably believed to have been, the subject of a Breach; c. To complete and submit the appropriate Information Security Data Breach DHS Incident Report form identified in attachment Alocated on the Agency’s website at xxxxx://xxx.xxxx.xxx/hipaa/baa; and d. To draft a letter for the Covered Entity to utilize to notify the Individuals that their Unsecured Protected Health Information has been, or is reasonably believed to have been, the subject of a Breach. The draft letter must include, to the extent possible: i. A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; ii. A description of the types of Unsecured Protected Health Information that were involved in the Breach (such as full name, Social Security Number, date of birth, home address, account number, disability code, or other types of information that were involved); iii. Any steps the Individuals should take to protect themselves from potential harm resulting from the Breach; iv. A brief description of what the Covered Entity and the Business Associate are doing to investigate the Breach, to mitigate harm, and to protect against any further Breaches; and v. Contact procedures for Individuals to ask questions or learn additional information, which shall include Covered Entity contact information, including a toll-free telephone number, an e-mail address, web site, or postal address.

Breach Notification Obligations of the Business Associate. In the event that the Business Associate discovers a Breach of Unsecured Protected Health Information, the Business Associate agrees to take the following measures immediately (i.e., within 72 hours) after the Business Associate first discovers the incident: a. To notify the Covered Entity of any Breach. Such notice by the Business Associate shall be provided without unreasonable delay, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. For purposes of this BAA, the Business Associate is deemed to have discovered the Breach as of the first day on which such Breach is known to the Business Associate or by exercising reasonable diligence, would have been known to the Business Associate, including any person, other than the Individual committing the Breach, that is a workforce member or agent of the Business Associate; b. To include to the extent possible the identification of the Individuals whose Unsecured Protected Health Information has been, or is reasonably believed to have been, the subject of a Breach; c. To complete and submit the appropriate Information Security Data Breach Incident Report form identified in attachment Alocated on the Agency’s website at xxxx://xxx.xxx.xxxxx.xx.xx/Consumers/Health/HIPAA/Home.html; and d. To draft a letter for the Covered Entity to utilize to notify the Individuals that their Unsecured Protected Health Information has been, or is reasonably believed to have been, the subject of a Breach. The draft letter must include, to the extent possible: i. A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; ii. A description of the types of Unsecured Protected Health Information that were involved in the Breach (such as full name, Social Security Number, date of birth, home address, account number, disability code, or other types of information that were involved); iii. Any steps the Individuals should take to protect themselves from potential harm resulting from the Breach; iv. A brief description of what the Covered Entity and the Business Associate are doing to investigate the Breach, to mitigate harm, and to protect against any further Breaches; and v. Contact procedures for Individuals to ask questions or learn additional information, which shall include Covered Entity contact information, including a toll-free telephone number, an e-mail address, web site, or postal address.