Common use of Breach Notification Policies and Procedures Clause in Contracts

Breach Notification Policies and Procedures. A) When I become aware of or suspect a breach, as defined in #1 above, I will conduct a RiskAssessment, as outlined in #2 above. I will keep a written record of that Risk Assessment. B) Unless I determine, through the Risk Assessment, that there is a low probability that PHI has been compromised, I will give notice of the breach to any affected client without unreasonable delay and within 60 days of discovery. The notice will be in plain language that a client can understand and will provide a brief description of the breach, including dates; a description of the types of unsecured PHI involved; the steps the client(s) should take to protect against potential harm; a brief description of the steps I have taken to investigate the incident, mitigate harm, and protect against further breaches; my contact information. For breaches affecting less than 500 clients, I will keep a log of those breaches during the year and then provide notice to HHS of all breaches during the calendar year, within 60 days after that year ends. The risk assessment can be done by a business associate if it was involved in the breach. While the business associate will conduct a risk assessment of a breach of PHI in its control, I will provide any required notice to clients and HHS. After any breach, particularly one that requires notice, I will re-assess privacy and security practices to determine what changes should be made to prevent the re-occurrence of such breaches.

Breach Notification Policies and Procedures. A) When I become aware of or suspect a breach, as defined in #1 above, I will conduct a RiskAssessmentRisk Assessment, as outlined in #2 above. I will keep a written record of that Risk Assessment. B) Unless I determine, through the Risk Assessment, that there is a low probability that PHI has been compromised, I will give notice of the breach to any affected client without unreasonable delay and within 60 days of discovery. The notice will be in plain language that a client can understand and will provide a brief description of the breach, including dates; a description of the types of unsecured PHI involved; the steps the client(s) should take to protect against potential harm; a brief description of the steps I have taken to investigate the incident, mitigate harm, and protect against further breaches; my contact information. For breaches affecting less than 500 clients, I will keep a log of those breaches during the year and then provide notice to HHS of all breaches during the calendar year, within 60 days after that year ends. . C) The risk assessment can be done by a business associate if it was involved in the breach. While the business associate will conduct a risk assessment of a breach of PHI in its control, I will provide any required notice to clients and HHS. . D) After any breach, particularly one that requires notice, I will re-assess privacy and security practices to determine what changes should be made to prevent the re-occurrence of such breaches.

Breach Notification Policies and Procedures. A) When I we become aware of or suspect a breach, as defined in #1 above, I we will conduct a RiskAssessmentRisk Assessment, as outlined in #2 above. I We will keep a written record of that Risk Assessment. B) Unless I we determine, through the Risk Assessment, that there is a low probability that PHI has been compromised, I we will give notice of the breach to any affected client without unreasonable delay and within 60 days of discovery. The notice will be in plain language that a client can understand and will provide a brief description of the breach, including dates; a description of the types of unsecured PHI involved; the steps the client(s) should take to protect against potential harm; a brief description of the steps I we have taken to investigate the incident, mitigate harm, and protect against further breaches; my contact information. For breaches affecting less than 500 clients, I clients we will keep a log of those breaches during the year and then provide notice to HHS of all breaches during the calendar year, within 60 days after that year ends. . C) The risk assessment Risk Assessment can be done by a business associate if it was involved in the breach. While the business associate will conduct a risk assessment Risk Assessment of a breach of PHI in its control, I will provide any required notice to clients and HHS. . D) After any breach, particularly one that requires notice, I we will re-assess privacy and security practices to determine what changes should be made to prevent the re-occurrence of such breaches.