Breach Notification. The following provisions apply to both a HIPAA Breach and a Security Breach as defined in Section 2 (Definitions). For this Section only, the term “Breach” refers to either a HIPAA Breach or a Security Breach, each to the extent they affect HIE Data submitted by Submitter hereunder. a. The Parties agree that within one (1) hour of discovering information that leads the Party to reasonably believe that a Breach may have occurred, it shall alert the other Party. As soon as reasonably practicable, but no later than twenty-four (24) hours after determining that a Breach has occurred, the Party shall provide a Notification to the other Party. The Notification should include sufficient information for the other Party to understand the nature of the Breach. For instance, such Notification could include, to the extent available at the time of the Notification, the following information: 1. One or two sentence description of the Breach 2. Description of the roles of the people involved in the Breach (e.g. employees, Authorized Users, service providers, unauthorized persons, etc.) 3. The type of data Breached 4. Submitters likely impacted by the Breach 5. Number of individuals or records impacted/estimated to be impacted by the Breach 6. Actions taken by the Submitter to mitigate the Breach 7. Current Status of the Breach (under investigation or resolved) 8. Corrective action taken and steps planned to be taken to prevent a similar Breach. b. The Party reporting the Breach shall supplement the information contained in the Notification as it becomes available and cooperate with the other Party in accordance with Section 1 of this Agreement. The Notification required by this Section 10.02 shall not include any PHI. If, on the basis of the Notification, NC HIEA determines that (i) other Submitters that have not been notified of the Breach would benefit from a summary of the Notification or (ii) a summary of the Notification to the other Submitters would enhance the security of NC HealthConnex, it may provide, in a timely manner, a summary to such Submitters that does not identify any of the individuals involved in the Breach. c. Information provided by either Party in accordance with this Section 10.02 may be “Confidential Information.” Such “Confidential Information” shall be treated in accordance with Section 12.
Appears in 7 contracts
Samples: Nc Hiea Participation Agreement, Nc Hiea Participation Agreement, Nc Hiea Participation Agreement
Breach Notification. The following provisions apply to both a HIPAA Breach and a Security Breach as defined in Section 2 (Definitions). For this Section only, the term “Breach” refers to either a HIPAA Breach or a Security Breach, each to the extent they affect HIE Data submitted by Submitter hereunder.
a. The Parties agree Each Participant agrees that within one (1) hour of discovering information that leads the Party Participant to reasonably believe that a Breach may have occurred, it shall will alert other Participants whose Message Content may have been Breached and the other PartyNHIN Coordinating Committee to such information. As soon as reasonably practicable, but no later than twenty-four (24) hours after determining that a Breach has occurred, the Party shall provide a Notification to Participant will notify all Participants likely impacted by the other PartyBreach and the NHIN Coordinating Committee or its designee of such Breach. The Notification notification should include sufficient information for the other Party NHIN Coordinating Committee to understand the nature of the Breach. For instance, such Notification notification could include, to the extent available at the time of the Notificationnotification, the following information:
1. : • One or two sentence description of the Breach
2. Breach • Description of the roles of the people involved in the Breach (e.g. employees, Authorized Participant Users, service providers, unauthorized persons, etc.)
3. ) • The type of data Breached
4. Submitters Message Content Breached • Participants likely impacted by the Breach
5. Xxxxxx • Number of individuals or records impacted/estimated to be impacted by the Breach
6. Breach • Actions taken by the Submitter Participant to mitigate the Breach
7. Breach • Current Status of the Breach (under investigation or resolved)
8. ) • Corrective action taken and steps planned to be taken to prevent a similar Breach.
b. . The Party reporting the Breach Participant shall have a duty to supplement the information contained in the Notification notification as it becomes available and cooperate with other Participants and the other Party NHIN Coordinating Committee or its designee in accordance with Section 1 22(e) of this Agreement. The Notification notification required by this Section 10.02 16.03 shall not include any PHI. If, on the basis of the Notificationnotification, NC HIEA a Participant desires to stop exchanging Message Content with the Participant that reported a Breach, it shall stop exchanging Message Content in accordance with Section 13.01(b) of this Agreement. If, on the basis of the notification, the NHIN Coordinating Committee or its designee determines that (i) the other Submitters Participants that have not been notified of the Breach would benefit from a summary of the Notification or (ii) a summary of the Notification to the other Submitters would enhance the security of NC HealthConnex, it may provide, in a timely manner, a summary to such Submitters that does not identify any of the individuals involved in the Breach.
c. Information provided by either Party in accordance with this Section 10.02 may be “Confidential Information.” Such “Confidential Information” shall be treated in accordance with Section 12.notification or
Appears in 4 contracts
Samples: Data Use and Reciprocal Support Agreement (Dursa), Data Use and Reciprocal Support Agreement (Dursa), Data Use and Reciprocal Support Agreement (Dursa)
Breach Notification. The following provisions apply to both a HIPAA Breach and a Security Breach as defined in Section 2 (Definitions). For this Section only, the term “Breach” refers to either a HIPAA Breach or a Security Breach, each to the extent they affect HIE Data submitted by Submitter hereunder.
a. The Parties agree that within one (1) hour of discovering information that leads the Party to reasonably believe that a Breach may have occurred, it shall alert the other Party. As as soon as reasonably practicable, but no later than twenty-four (24) hours after determining that a Breach has occurred, the Party shall provide a Notification to the other Party. Submitter must also alert the SAS Help Desk at XXXxxxxxxx@xxx.xxx and describe the incident as soon as reasonably practicable, but no later than twenty-four (24) hours after determining that a Breach has occurred. The Notification should include sufficient information for the other Party to understand the nature of the Breach. For instance, such Notification could include, to the extent available at the time of the Notification, the following information:
1. One or two sentence description of the Breach
2. Description of the roles of the people involved in the Breach (e.g. employees, Authorized Users, service providers, unauthorized persons, etc.)
3. The type of data Breached
4. Submitters likely impacted by the Breach
5. Number of individuals or records impacted/estimated to be impacted by the Breach
6. Actions taken by the Submitter to mitigate the Breach
7. Current Status of the Breach (under investigation or resolved)
8. Corrective action taken and steps planned to be taken to prevent a similar Breach.
b. The Party reporting the Breach shall supplement the information contained in the Notification as it becomes available and cooperate with the other Party in accordance with Section 1 of this Agreement. The Notification required by this Section 10.02 shall not include any PHI. If, on the basis of the Notification, NC HIEA determines that (i) other Submitters that have not been notified of the Breach would benefit from a summary of the Notification or (ii) a summary of the Notification to the other Submitters would enhance the security of NC HealthConnex, it may provide, in a timely manner, a summary to such Submitters that does not identify any of the individuals involved in the Breach.
c. Information provided by either Party in accordance with this Section 10.02 may be “Confidential Information.” Such “Confidential Information” shall be treated in accordance with Section 12.
Appears in 3 contracts
Samples: Nc Hiea Submission Agreement, Vaccine Data Submission Agreement, Vaccine Data Submission Agreement
Breach Notification. The following provisions apply to both a HIPAA Breach and a Security Breach as defined in Section 2 (Definitions). For this Section only, the term “Breach” refers to either a HIPAA Breach or a Security Breach, each to the extent they affect HIE Data submitted by Submitter hereunder.
a. The Parties agree Each Participant agrees that within one (1) hour of discovering information that leads the Party Participant to reasonably believe that a Breach may have occurred, it shall alert other Participants whose Message Content may have been Breached and the other PartyCoordinating Committee to such information. As soon as reasonably practicable, but no later than twenty-four (24) hours after determining that a Breach has occurred, the Party Participant shall provide a Notification to all Participants likely impacted by the other PartyBreach and the Coordinating Committee of such Breach. The Notification should include sufficient information for the other Party Coordinating Committee to understand the nature of the Breach. For instance, such Notification could include, to the extent available at the time of the Notification, the following information:
1. : • One or two sentence description of the Breach
2. Breach • Description of the roles of the people involved in the Breach (e.g. employees, Authorized Participant Users, service providers, unauthorized persons, etc.)
3. ) • The type of data Breached
4. Submitters Message Content Breached • Participants likely impacted by the Breach
5. Breach • Number of individuals or records impacted/estimated to be impacted by the Breach
6. Breach • Actions taken by the Submitter Participant to mitigate the Breach
7. Breach • Current Status of the Breach (under investigation or resolved)
8. ) • Corrective action taken and steps planned to be taken to prevent a similar Breach.
b. . The Party reporting the Breach Participant shall supplement the information contained in the Notification as it becomes available and cooperate with other Participants and the other Party Coordinating Committee in accordance with Section 1 20(e) of this Agreement. The Notification required by this Section 10.02 14.03 shall not include any PHI. If, on the basis of the Notification, NC HIEA a Participant desires to stop Transacting Message Content with the Participant that reported a Breach, it shall stop Transacting Message Content in accordance with Section 12.01(b) of this Agreement. If, on the basis of the notification, the Coordinating Committee determines that (i) the other Submitters Participants that have not been notified of the Breach would benefit from a summary of the Notification or (ii) a summary of the Notification to the other Submitters Participants would enhance the security of NC HealthConnexthe Performance and Service Specifications, it may provide, in a timely manner, a summary to such Submitters Participants that does not identify any of the Participants or individuals involved in the Breach.
c. b. Information provided by either Party a Participant in accordance with this Section 10.02 14.03, except Message Content, may be “Confidential Participant Information.” Such “Confidential Participant Information” shall be treated in accordance with Section 1216.
c. This Section 14.03 shall not be deemed to supersede a Participant’s obligations (if any) under relevant security incident, breach notification or confidentiality provisions of Applicable Law.
d. Compliance with this Section 14.03 shall not relieve Participants of any other security incident or breach reporting requirements under Applicable Law including, but not limited to, those related to consumers.
Appears in 3 contracts
Samples: Data Use and Reciprocal Support Agreement (Dursa), Health Information Exchange Agreement, Data Use and Reciprocal Support Agreement (Dursa)
Breach Notification. The following provisions apply to both a HIPAA Breach and a Security Breach as defined in Section 2 (Definitions). For this Section only, the term “Breach” refers to either a HIPAA Breach or a Security Breach, each to the extent they affect HIE Data submitted by Submitter hereunder.
a. The Parties agree Each Participant agrees that within one (1) hour of discovering information that leads the Party Participant to reasonably believe that a Breach may have occurred, it shall alert other Participants whose Message Content may have been Breached and the other PartyCoordinating Committee to such information. As soon as reasonably practicable, but no later than twenty-four (24) hours after determining that a Breach has occurred, the Party Participant shall provide a Notification to all Participants likely impacted by the other PartyBreach and the Coordinating Committee of such Breach. The Notification should include sufficient information for the other Party Coordinating Committee to understand the nature of the Breach. For instance, such Notification could include, to the extent available at the time of the Notification, the following information:
1. : One or two sentence description of the Breach
2. Breach Description of the roles of the people involved in the Breach (e.g. employees, Authorized Participant Users, service providers, unauthorized persons, etc.)
3. ) The type of data Breached
4. Submitters Message Content Breached Participants likely impacted by the Breach
5. Breach Number of individuals or records impacted/estimated to be impacted by the Breach
6. Breach Actions taken by the Submitter Participant to mitigate the Breach
7. Breach Current Status of the Breach (under investigation or resolved)
8. ) Corrective action taken and steps planned to be taken to prevent a similar Breach.
b. . The Party reporting the Breach Participant shall supplement the information contained in the Notification as it becomes available and cooperate with other Participants and the other Party Coordinating Committee in accordance with Section 1 20(e) of this Agreement. The Notification required by this Section 10.02 14.03 shall not include any PHI. If, on the basis of the Notification, NC HIEA a Participant desires to stop Transacting Message Content with the Participant that reported a Breach, it shall stop Transacting Message Content in accordance with Section 12.01(b) of this Agreement. If, on the basis of the notification, the Coordinating Committee determines that (i) the other Submitters Participants that have not been notified of the Breach would benefit from a summary of the Notification or (ii) a summary of the Notification to the other Submitters Participants would enhance the security of NC HealthConnexthe Performance and Service Specifications, it may provide, in a timely manner, a summary to such Submitters Participants that does not identify any of the Participants or individuals involved in the Breach.
c. b. Information provided by either Party a Participant in accordance with this Section 10.02 14.03, except Message Content, may be “Confidential Participant Information.” Such “Confidential Participant Information” shall be treated in accordance with Section 1216.
c. This Section 14.03 shall not be deemed to supersede a Participant’s obligations (if any) under relevant security incident, breach notification or confidentiality provisions of Applicable Law.
d. Compliance with this Section 14.03 shall not relieve Participants of any other security incident or breach reporting requirements under Applicable Law including, but not limited to, those related to consumers.
Appears in 3 contracts
Samples: Data Use and Reciprocal Support Agreement (Dursa), Data Use and Reciprocal Support Agreement (Dursa), Data Use and Reciprocal Support Agreement (Dursa)
Breach Notification. The following provisions apply to both a HIPAA Breach and a Security Breach as defined in Section 2 (Definitions). For this Section 14 only, the term “Breach” refers to either a HIPAA Breach or a Security Breach, each to the extent they affect HIE Data submitted by Submitter hereunder.
a. 14.01. The Parties agree that within one (1) hour of discovering information that leads the Party to reasonably believe that a Breach may have occurred, it shall alert the other Party. As as soon as reasonably practicable, but no later than twenty-four (24) hours after determining that a Breach has occurred, the Party Parties shall provide a Notification to the other PartyParty and to all Participants likely impacted by the Breach. Participant must also alert the SAS Help Desk at XXXxxxxxxx@xxx.xxx and describe the incident as soon as reasonably practicable, but no later than twenty-four (24) hours after determining that a Breach has occurred. The Notification should include sufficient information for the other Party or other Participants to understand the nature of the Breach. For instance, such Notification could include, to the extent available at the time of the Notification, the following information:
1. a. One or two sentence description of the Breach
2. b. Description of the roles of the people involved in the Breach (e.g. employees, Authorized Users, service providers, unauthorized persons, etc.)
3. c. The type of data Message Content Breached
4. Submitters d. Participants likely impacted by the Breach
5. e. Number of individuals or records impacted/estimated to be impacted by the Breach
6. f. Actions taken by the Submitter Participant to mitigate the Breach
7. g. Current Status of the HIPAA Breach (under investigation or resolved)
8. h. Corrective action taken and steps planned to be taken to prevent a similar Breach.
b. 14.02. The Party reporting the Breach Parties shall supplement the information contained in the Notification as it becomes available and cooperate with the other Party Participants in accordance with Section 1 1(e) of this Agreement. The Notification required by this Section 10.02 14 shall not include any PHI. If, on the basis of the Notification, a Participant desires to stop Transacting Message Content with the Participant that reported a Breach, it shall stop Transacting Message Content in accordance with Section 1 of this Agreement. If, on the basis of the Notification, NC HIEA determines that (i) the other Submitters Participants that have not been notified of the Breach would benefit from a summary of the Notification or (ii) a summary of the Notification to the other Submitters Participants would enhance the security of NC HealthConnex, it may provide, in a timely manner, a summary to such Submitters Participants that does not identify any of the Participants or individuals involved in the Breach.
c. 14.03. Information provided by either Party a Participant in accordance with this Section 10.02 Section, except Message Content, may be “Confidential Participant Information.” Such “Confidential Participant Information” shall be treated in accordance with Section 1216.
14.04. This Section shall not be deemed to supersede a Participant’s obligations (if any) under relevant security incident, Breach notification or confidentiality provisions of Applicable Law.
14.05. Compliance with this Section shall not relieve Participants of any other security incident or Breach reporting requirements under Applicable Law including, but not limited to, those related to consumers.
Appears in 2 contracts
Samples: Full Participation Agreement, Full Participation Agreement for Pharmacies for Nc Healthconnex Access and Data Use
Breach Notification. The following provisions apply a. As a Covered Entity and/or Business Associate under HIPAA Administrative Simplification, the Trading Partner acknowledges that it is subject to both a 45 CFR Parts 160 and 164, Subpart D, Breach Notification for Unsecured Protected Health Information (“HIPAA Breach Rule”).
b. With respect to the Data provided to the Trading Partner by FSSA and a Security Breach as defined in Section 2 (Definitions). For this Section only, the term “Breach” refers to either a HIPAA Breach or a Security Breach, each to the extent they affect HIE that such Data submitted by Submitter hereunder.
a. The Parties agree includes Protected Health Information (as that within one (1) hour term is defined in the HIPAA Privacy Rule), should the Trading Partner discover that the Data has been improperly disclosed in violation of discovering information that leads the Party HIPAA Privacy Rule, whether or not such disclosure has or has yet to reasonably believe that be determined to be a Breach may have occurred, it shall alert (as that term is defined in §164.402 of the other Party. As soon as reasonably practicable, but no later than twenty-four (24) hours after determining that a HIPAA Breach has occurredRule), the Party shall provide a Notification Trading Partner will:
i. Provide notice to the other Party. The Notification should include sufficient information for the other Party to understand the nature Fiscal Agent within two (2) business days of its discovery of the Breachimproper disclosure;
ii. For instanceSuch notice will include as many details regarding the improper discloser as the Trading Partner can ascertain to that point (e.g., such Notification could include, to the extent available at the time source of the Notificationdisclosure, the following information:
1. One or two sentence description information disclosed, recipient of the Breach
2. Description of disclosed information, how the roles of the people involved in the Breach (e.g. employees, Authorized Users, service providers, unauthorized personsdisclosure occurred, etc.);
3iii. The type of data Breached
4. Submitters likely impacted by Fully cooperate with FSSA and the Breach
5. Number of individuals or records impacted/estimated to be impacted by FSSA HIPAA Compliance Office regarding the Breach
6. Actions taken by improper disclosure, including but not limited to: (1) the Submitter to mitigate the Breach
7. Current Status ongoing results of the Breach Trading Partner’s investigation; (under investigation or resolved)
8. Corrective action taken 2) determination of whether the improper disclosure constituted a Breach; (3) preparation of written and steps planned other notice to be taken the individual(s) subject to prevent a similar Breach.
b. The Party reporting the Breach shall supplement the information contained in the Notification as it becomes available and cooperate with the other Party in accordance with Section 1 the HIPAA Breach Rule; (4) preparation of this Agreement. The Notification required by this Section 10.02 shall not include any PHI. If, on the basis of the Notification, NC HIEA determines that (i) other Submitters that have not been notified of public notice regarding the Breach would benefit from a summary of as may apply; (5) mitigation activities undertaken by the Notification Trading Partner; and, (6) corrective actions the Trading Partner has or (ii) a summary of the Notification plans to the other Submitters would enhance the security of NC HealthConnex, it may provide, in a timely manner, a summary to such Submitters that does not identify any of the individuals involved in the Breachimplement.
c. Information provided by either Party The Trading Partner understands and agrees that it is responsible for any Breach of the Data in accordance with this Section 10.02 its safekeeping and assumes all liability regarding such Breach and hereby indemnifies and holds harmless FSSA and the State of Indiana from any loss, damage, costs, expense, judgment, sanction or liability, including but not limited to, consequential damages and attorney’s fees and costs that the Trading Partner or FSSA, and the State of Indiana may be “Confidential Informationincur resulting from such Breach.” Such “Confidential Information” shall be treated in accordance with Section 12.
Appears in 2 contracts
Samples: Trading Partner Agreement, Trading Partner Agreement
Breach Notification. The following provisions apply to both a HIPAA Breach and a Security Breach as defined in Section 2 (Definitions). For this Section 14 only, the term “"Breach” " refers to either a HIPAA Breach or a Security Breach, each to the extent they affect HIE Data submitted by Submitter hereunder.
a. 14.01. The Parties agree that within one (1) hour of discovering information that leads the Party to reasonably believe that a Breach may have occurred, it shall alert the other Party. As as soon as reasonably practicable, but no later than twenty-four (24) hours after determining that a Breach has occurred, the Party theParties shall provide a Notification to the other PartyParty and to all Participants likely impacted by the Breach. Participant must also alert the SAS Help Desk at XXXxxxxxxx@xxx.xxx and describe the incidentas soon as reasonably practicable, but no later than twenty-four (24) hours after determining that a Breach has occurred. The Notification should include sufficient information for the other Party or other Participants to understand the nature of the Breach. For instance, such Notification could include, to the extent available at the time of the Notification, the following information:
1. a. One or two sentence description of the Breach
2. b. Description of the roles of the people involved in the Breach (e.g. e.g., employees, Authorized Users, service providers, unauthorized persons, etc.)
3. c. The type of data Message Content Breached
4. Submitters d. Participants likely impacted by the Breach
5. e. Number of individuals or records impacted/estimated to be impacted by the Breach
6. f. Actions taken by the Submitter Participant to mitigate the Breach
7. g. Current Status status of the HIPAA Breach (under investigation or resolved)
8. h. Corrective action taken and steps planned to be taken to prevent a similar Breach.
b. 14.02. The Party reporting the Breach Parties shall supplement the information contained in the Notification as it becomes available and reasonably cooperate with the other Party Participants in accordance with Section 1 of this Agreement. The Notification required by this Section 10.02 14 shall not include any PHI. If, on the basis of the Notification, a Participant desires to stop Transacting Message Content with the Participant that reported a Breach, it shall stop Transacting Message Content in accordance with Section 1 of this Agreement. If, on the basis of the Notification, NC HIEA determines that (i) the other Submitters Participants that have not been notified of the Breach would benefit from a summary of the Notification or (ii) a summary of the Notification to the other Submitters Participants would enhance the security of NC HealthConnex, it may provide, in a timely manner, a summary to such Submitters Participants that does not identify any of the Participants or individuals involved in the Breach.
c. 14.03. Information provided by either Party a Participant in accordance with this Section 10.02 Section, except Message Content, may be “"Confidential Participant Information.” " Such “"Confidential Participant Information” " shall be treated in accordance with Section 1216.
14.04. This Section shall not be deemed to supersede a Participant’s obligations (if any) under relevant security incident, Breach notification or confidentiality provisions of Applicable Law.
14.05. Compliance with this Section shall not relieve Participants of any other security incident or Breach reporting requirements under Applicable Law including, but not limited to, those related to consumers.
Appears in 1 contract
Samples: Full Participation Agreement
Breach Notification. The following provisions apply to both a HIPAA Breach and a Security Breach as defined in Section 2 (Definitions). For this Section only, the term “Breach” refers to either a HIPAA Breach or a Security Breach, each to the extent they affect HIE Data submitted by Submitter hereunder.
a. The Parties agree that within one (1) hour of discovering information that leads the Party to reasonably believe that a Breach may have occurred, it shall alert the other PartyParty and other Participants whose data may have been Breached. Participant must also alert the SAS Help Desk at XXXxxxxxxx@xxx.xxx within one (1) hour of discovery and describe the incident. As soon as reasonably practicable, but no later than twenty-four (24) hours after determining that a Breach has occurred, the Party Parties shall provide a Notification to the other PartyParty and to all Participants likely impacted by the Breach. The Notification should include sufficient information for the other Party or other Participants to understand the nature of the Breach. For instance, such Notification could include, to the extent available at the time of the Notification, the following information:
1. One or two sentence description of the Breach
2. Description of the roles of the people involved in the Breach (e.g. employees, Authorized Users, service providers, unauthorized persons, etc.)
3. The type of data Breached
4. Submitters likely impacted by the Breach
5. Number of individuals or records impacted/estimated to be impacted by the Breach
6. Actions taken by the Submitter to mitigate the Breach
7. Current Status of the Breach (under investigation or resolved)
8. Corrective action taken and steps planned to be taken to prevent a similar Breach.
b. The Party reporting the Breach Parties shall supplement the information contained in the Notification as it becomes available and cooperate with the other Party in accordance with Section 1 of this AgreementParticipants if necessary. The Notification required by this Section 10.02 shall not include any PHI. If, on the basis of the Notification, NC HIEA determines that (i) the other Submitters Participants that have not been notified of the Breach would benefit from a summary of the Notification or (ii) a summary of the Notification to the other Submitters Participants would enhance the security of NC HealthConnex, it may provide, in a timely manner, a summary to such Submitters Participants that does not identify any of the Participants or individuals involved in the Breach.
c. Information provided by either Party in accordance Compliance with this Section 10.02 may be “Confidential Informationshall not relieve Participants of any other security incident or Breach reporting requirements under Applicable Law including, but not limited to, those related to consumers.” Such “Confidential Information” shall be treated in accordance with Section 12.
Appears in 1 contract
Breach Notification. The following provisions apply to both a HIPAA Breach and a Security Breach as defined in Section 2 (Definitions). For this Section onlyParties will advise relevant party/parties about any security, the term “Breach” refers to or suspected security breach where it deems there may be either a HIPAA Breach security or a Security Breach, each reputational risk to the extent they affect HIE Data submitted party/parties”. The rights conferred under this Clause are without prejudice to any other rights and remedies for breach of this Agreement whether in contract or otherwise in law. Duration, Review and amendment This Agreement shall come into force on the date of signature by Submitter hereunder.
a. The the Parties agree that within one (1) hour of discovering information that leads the and will continue, until terminated by either Party to reasonably believe that a Breach may have occurred, it shall alert the other Party. As soon as reasonably practicable, but no later than on giving twenty-four eight (2428) hours after determining that a Breach has occurred, the Party shall provide a Notification days prior written notice to the other Party. The Notification should include sufficient information for the other Party to understand the nature of the Breach. For instance, such Notification could include, to the extent available at the time of the Notification, the following information:
1. One or two sentence description of the Breach
2. Description of the roles of the people involved in the Breach (e.g. employees, Authorized Users, service providers, unauthorized persons, etc.)
3. The type of data Breached
4. Submitters likely impacted unless terminated earlier by the Breach
5. Number of individuals or records impacted/estimated to be impacted by the Breach
6. Actions taken by the Submitter to mitigate the Breach
7. Current Status of the Breach (under investigation or resolved)
8. Corrective action taken and steps planned to be taken to prevent a similar Breach.
b. The Party reporting the Breach shall supplement the information contained in the Notification as it becomes available and cooperate with the other Disclosing Party in accordance with Section 1 Clause 5.5. This Agreement will be reviewed three years after it comes into force and every three years thereafter until termination or expiry in accordance with its terms. Without prejudice to Clause 5.5, the Parties will also review this Agreement and the operational arrangements which give effect to it, if any of the following events takes place: the terms of this Agreement have been breached in any material aspect, including any security breach or data loss in respect of Data which is subject to this Agreement; if one of the Parties is of a view that there has been a substantive change to the data sharing that takes place between the Parties under this Agreement; or the Information Commissioner or any of his or her authorised staff recommends that the Agreement be reviewed. Any amendments to this Agreement will only be effective when contained within a formal amendment document which is formally executed in writing by all Parties. In the event that the Disclosing Party has any reason to believe that the Data Recipient is in breach of any of its obligations under this Agreement, the Disclosing Party may at its sole discretion: suspend the sharing of Data until such time as the Disclosing Party is reasonably satisfied that the breach will not re-occur; and/or Terminate this Agreement immediately by written notice to the Data Recipient if the Data Recipient commits a material breach of this Agreement which (in the case of a breach capable of a remedy) it does not remedy within five (5) Business Days of receiving written notice of the breach. Where the Disclosing Party exercises its rights under Clause 5.4, it may request the return of the Data (in which case the Data Recipient shall, no later than seven (7) days after receipt of such a written request from the Disclosing Party, at the Disclosing Party’s option, return or permanently erase/destroy all materials held by or under the control of the Data Recipient which contain or reflect the Data and shall not retain any copies, extracts or other reproductions of the Data either in whole or in part), save that the Data Recipient will be permitted to retain one copy for the purpose of complying with, and for so long as required by, any law or judicial or administrative process or for its legitimate internal compliance and/or record keeping requirements Dispute Resolution The Parties hereby agree to act in good faith at all times to attempt to resolve any dispute or difference relating to the subject matter of, and arising under, this Agreement. The Notification required by If the Representatives dealing with a dispute or difference are unable to resolve this Section 10.02 shall not include any PHI. If, on the basis themselves within twenty Business Days of the Notificationissue arising, NC HIEA determines the matter shall be escalated to the following individuals in Part 4 identified as escalation points who will endeavour in good faith to resolve the issue. In the event that the Parties are unable to resolve the dispute amicably within a period of twenty (i20) other Submitters Business Days from date on which the dispute or difference was escalated in terms of Clause 6.2, the matter may be referred to a mutually agreed mediator. If mediation fails to resolve the dispute or if the chosen mediator indicates that have the dispute is not been notified of suitable for mediation, and the Breach would benefit from a summary of the Notification Parties remain unable to resolve any dispute or (ii) a summary of the Notification difference in accordance with Clauses 6.1 to 6.3, then either Party may, by notice in writing to the other Submitters would enhance Party, refer the security of NC HealthConnex, it may provide, in a timely manner, a summary to such Submitters that does not identify any of dispute for determination by the individuals involved in the Breach.
c. Information provided by either Party courts in accordance with this Section 10.02 may be “Confidential InformationClause 8. The provisions of Clauses 6.1 to 6.4 do not prevent either Party from applying for an interim court order whilst the Parties attempt to resolve a dispute.” Such “Confidential Information” shall be treated in accordance with Section 12.
Appears in 1 contract
Samples: Data Sharing Agreement
Breach Notification. The following provisions apply to both a HIPAA Breach and a Security Breach as defined in Section 2 (Definitions). For this Section only, the term “Breach” refers to either a HIPAA Breach or a Security Breach, each to the extent they affect HIE Data submitted by Submitter hereunder.
a. The Parties agree Each Participant agrees that within one (1) hour of discovering information that leads the Party Participant to reasonably believe that a Breach may have occurred, it shall willshall alert other Participants whose Message Content may have been Breached and the other PartyNHIN Coordinating Committee to such information. As soon as reasonably practicable, but no later than twenty-four (24) hours after determining that a Breach has occurred, the Party shall Participant will notifyshall provide a Notification to all Participants likely impacted by the other PartyBreach and the NHIN Coordinating Committee or its designee of such Breach. The Notification notificationNotification should include sufficient information for the other Party NHIN Coordinating Committee to understand the nature of the Breach. For instance, such Notification notificationNotification could include, to the extent available at the time of the NotificationnotificationNotification, the following information:
1. : One or two sentence description of the Breach
2. Breach Description of the roles of the people involved in the Breach (e.g. employees, Authorized Participant Users, service providers, unauthorized persons, etc.)
3. ) The type of data Breached
4. Submitters Message Content Breached Participants likely impacted by the Breach
5. Breach Number of individuals or records impacted/estimated to be impacted by the Breach
6. Breach Actions taken by the Submitter Participant to mitigate the Breach
7. Breach Current Status of the Breach (under investigation or resolved)
8. ) Corrective action taken and steps planned to be taken to prevent a similar Breach.
b. . The Party reporting the Breach Participant shall have a duty to supplement the information contained in the Notification notificationNotification as it becomes available and cooperate with other Participants and the other Party NHIN Coordinating Committee or its designee in accordance with Section 1 2220(e) of this Agreement. The Notification notificationNotification required by this Section 10.02 16.0314.03 shall not include any PHI. If, on the basis of the NotificationnotificationNotification, NC HIEA a Participant desires to stop exchangingTransacting Message Content with the Participant that reported a Breach, it shall stop exchangingTransacting Message Content in accordance with Section 13.0112.01(b) of this Agreement. If, on the basis of the notification, the NHIN Coordinating Committee or its designee determines that (i) the other Submitters Participants that have not been notified of the Breach would benefit from a summary of the Notification notificationNotification or (ii) a summary of the Notification notificationNotification to the other Submitters Participants would enhance the security of NC HealthConnexthe NHINPerformance and Service Specifications, it may provide, in a timely manner, a summary to such Submitters Participants that does not identify any of the Participants or individuals involved in the Breach.
c. b. Information provided by either Party a Participant in accordance with this Section 10.02 16.03,14.03, except Message Content, may be “Confidential Participant Information.” Such “Confidential Participant Information” shall be treated in accordance with Section 1218.16.
c. This Section 16.0314.03 shall not be deemed to supersede a Participant’s obligations (if any) under relevant security incident, breach notification or confidentiality provisions of Applicable Law.
d. Compliance with this Section 16.0314.03 shall not relieve Participants of any other security incident or breach reporting requirements under Applicable Law including, but not limited to, those related to consumers.
Appears in 1 contract
Breach Notification. The following provisions apply to both a HIPAA Breach and a Security Breach A. TDSO agrees that, as defined in Section 2 (Definitions). For this Section only, the term “Breach” refers to either a HIPAA Breach or a Security Breach, each to the extent they affect HIE Data submitted by Submitter hereunder.
a. The Parties agree that within one (1) hour of discovering information that leads the Party to reasonably believe that a Breach may have occurred, it shall alert the other Party. As soon as reasonably practicable, but no later than twenty-four (24) hours after determining it discovers that a an actual Breach has occurred, it will notify NJII, via the Party shall provide NJII Website and inform NJII all that the TDSO knows and has discovered about the actual Breach.
B. TDSO agrees that, as soon as reasonably practicable, but no later than seventy-two (72) hours after it discovers that a potential Breach has occurred, on facts in which the TDSO is unable to rule out that an actual Breach has occurred, it will notify NJII, via the NJII Website and inform NJII all that the TDSO knows and has discovered about the potential Breach.
C. A Breach is deemed to have been “discovered,” as of the first day on which the TDSO (by its employee, officer or other agent), other than the person committing the Breach, knows or would have known of such Breach by exercising reasonable diligence.
D. Notification to by the other Party. The Notification TDSO should include sufficient information for the other Party NJII to understand the nature of the Breach. potential Breach or actual Breach and for the TDSO to comply with any and all obligations under the HIPAA Regulations including, but not limited to, 45 C.F.R. Part 164, Subpart D.
E. For instance, such Notification notification could include, to the extent available at the time of the Notificationnotification, the following information:
1. 8.1.1 One or two sentence description of the potential Breach or Breach;
2. 8.1.2 Description of the roles of the people involved in the potential Breach or Breach (e.g. e.g., employees, Authorized Usersparties, service providers, unauthorized persons, etc.);
3. 8.1.3 The type of data Message Content potentially Breached or Breached;
4. Submitters 8.1.4 Parties likely impacted by the potential Breach or Breach;
5. 8.1.5 Number of individuals or records impacted/estimated to be impacted by the potential Breach or Breach;
6. 8.1.6 Actions taken by the Submitter TDSO to mitigate the potential Breach or Breach;
7. 8.1.7 Current Status status of the potential Breach or Breach (under investigation or resolved); and
8. 8.1.8 Corrective action taken and steps planned to be taken by the TDSO to prevent a similar potential Breach or Breach.
b. The Party reporting the Breach shall supplement the information contained in the Notification as it becomes available and cooperate with the other Party in accordance with Section 1 of this Agreement. The Notification required by this Section 10.02 shall not include any PHI. If, on the basis of the Notification, NC HIEA determines that (i) other Submitters that have not been notified of the Breach would benefit from a summary of the Notification or (ii) a summary of the Notification to the other Submitters would enhance the security of NC HealthConnex, it may provide, in a timely manner, a summary to such Submitters that does not identify any of the individuals involved in the Breach.
c. Information provided by either Party in accordance with this Section 10.02 may be “Confidential Information.” Such “Confidential Information” shall be treated in accordance with Section 12.
Appears in 1 contract
Breach Notification. The following provisions apply to both a HIPAA Breach and a Security Breach as defined in Section 2 (Definitions). For this Section 14 only, the term “Breach” refers to either a HIPAA Breach or a Security Breach, each to the extent they affect HIE Data submitted by Submitter hereunder.
a. 14.01. The Parties agree that within one (1) hour of discovering information that leads the Party to reasonably believe that a Breach may have occurred, it shall alert the other PartyParty and other Participants whose Message Content may have been Breached. As soon as reasonably practicable, but no later than twenty-four (24) hours after determining that a Breach has occurred, the Party Parties shall provide a Notification to the other PartyParty and to all Participants likely impacted by the Breach. The Notification should include sufficient information for the other Party or other Participants to understand the nature of the Breach. For instance, such Notification could include, to the extent available at the time of the Notification, the following information:
1. a. One or two sentence description of the Breach
2. b. Description of the roles of the people involved in the Breach (e.g. employees, Authorized Users, service providers, unauthorized persons, etc.)
3. c. The type of data Message Content Breached
4. Submitters d. Participants likely impacted by the Breach
5. e. Number of individuals or records impacted/estimated to be impacted by the Breach
6. f. Actions taken by the Submitter Participant to mitigate the Breach
7. g. Current Status of the HIPAA Breach (under investigation or resolved)
8. h. Corrective action taken and steps planned to be taken to prevent a similar Breach.
b. 14.02. The Party reporting the Breach Parties shall supplement the information contained in the Notification as it becomes available and cooperate with the other Party Participants in accordance with Section 1 1(e) of this Agreement. The Notification required by this Section 10.02 14 shall not include any PHI. If, on the basis of the Notification, a Participant desires to stop Transacting Message Content with the Participant that reported a Breach, it shall stop Transacting Message Content in accordance with Section 1 of this Agreement. If, on the basis of the Notification, NC HIEA determines that (i) the other Submitters Participants that have not been notified of the Breach would benefit from a summary of the Notification or (ii) a summary of the Notification to the other Submitters Participants would enhance the security of NC HealthConnex, it may provide, in a timely manner, a summary to such Submitters Participants that does not identify any of the Participants or individuals involved in the Breach.
c. 14.03. Information provided by either Party a Participant in accordance with this Section 10.02 Section, except Message Content, may be “Confidential Participant Information.” Such “Confidential Participant Information” shall be treated in accordance with Section 1216.
14.04. This Section shall not be deemed to supersede a Participant’s obligations (if any) under relevant security incident, Breach notification or confidentiality provisions of Applicable Law.
14.05. Compliance with this Section shall not relieve Participants of any other security incident or Breach reporting requirements under Applicable Law including, but not limited to, those related to consumers.
Appears in 1 contract
Samples: Full Participation Agreement
Breach Notification. The following provisions apply With respect to both a HIPAA any Unsecured PHI, Supplier shall report to Plan any Breach and a Security Breach (as defined in Section 2 (Definitions). For this Section onlythe Omnibus Rule) discovered by Supplier, the term “Breach” refers to either a HIPAA Breach or a Security Breachany of Supplier’s Subcontractors, each to the extent they affect HIE Data submitted by Submitter hereunder.
a. The Parties agree that within one (1) hour of discovering information that leads the Party to reasonably believe that a Breach may have occurred, it shall alert the other Party. As soon as reasonably practicable, but no later than twenty-four (24) hours after determining that of Discovery.
(a) The report must include (or be supplemented on an ongoing basis as information becomes available) with: (i) the identification of all Individuals whose Unsecured PHI was or is believed to have been breached; (ii) a Breach has occurred, the Party shall provide a Notification to the other Party. The Notification should include sufficient information for the other Party to understand the nature of the Breach. For instance, such Notification could include, to the extent available at the time of the Notification, the following information:
1. One or two sentence brief description of the Breach
2. Description , including the type of the roles Breach (e.g, theft, loss, improper disposal, hacking), location of the people involved in the Breach (e.g. employeese.g., Authorized Userslaptop, service providersdesktop, unauthorized personspaper), how the Breach occurred, the date the Breach occurred, and the date the Breach was discovered; (iii) a description of the type of Unsecured PHI involved (e.g., social security number, diagnosis, EOBs, etc.)
3. The , including the type of data Breachedmedia, but not the Breached PHI itself, unless requested by Plan; (iv) a description of the safeguards in place prior to the Breach (e.g., firewalls, packet filtering, secure browser sessions, strong authentication); (v) a description of the actions taken in response to the Breach (e.g., additional safeguards, mitigation, sanctions, policies, and procedures); (vi) all other information reasonably requested by Plan to enable Plan to perform and document a risk assessment in accordance with the Breach Notification Rule, and (vii) all other information reasonably necessary to provide notice to Individuals, the Secretary and/or the media.
4. Submitters likely impacted (b) At Plan’s sole option, Plan may delegate to Supplier the responsibility for determining (and providing evidence to Plan) that any such incident is not a Breach, including the requirement to perform a risk assessment to determine whether a low probability of compromise has occurred, as provided by the Breach
5Breach Notification Rule. Number of individuals or records impacted/estimated In the event that Plan delegates this obligation to be impacted by the Breach
6. Actions taken by the Submitter to mitigate the Breach
7. Current Status Supplier, without unreasonable delay, and in any event no later than thirty (30) calendar days after Discovery, Supplier shall provide Plan with written notification of the Breach (under investigation or resolved)
8. Corrective action taken and steps planned to be taken to prevent a similar Breachcopy of the risk assessment that assesses whether a low probability of compromise occurred.
b. The Party reporting (c) At Plan’s sole option, Plan may delegate to Supplier the responsibility of providing any notifications Plan determines is required by the Breach Notification Rule, including notifications to Individuals, the Secretary and/or the media. Prior to sending out such notifications, Supplier will provide a copy of the template notification letters for approval by Plan. All notifications shall supplement comply with the information contained elements established by the Breach Notification Rule and be sent within timeframes established by the Breach Notification Rule. In the event that Plan delegates these obligations to Supplier and in the Notification event of a Breach, without unreasonable delay, and in any event no later than sixty (60) calendar days after Discovery, Supplier shall provide Plan evidence that all required notifications, including any media or Secretary notifications, have been made.
(d) Supplier shall pay all reasonable costs incurred in relation to the occurrence of a Breach or potential Breach, including, but not limited to, expenses relating to providing any notifications Plan, or as it becomes available and cooperate with applicable the other Party in accordance with Section 1 of this Agreement. The Notification required by this Section 10.02 shall not include any PHI. IfSupplier, on the basis of the Notification, NC HIEA determines that (i) other Submitters that have not been notified of necessary under the Breach would benefit from a summary Notification Rule, regardless of whether Supplier or Plan makes the Notification or (ii) a summary of the Notification to the other Submitters would enhance the security of NC HealthConnex, it may provide, in a timely manner, a summary to such Submitters that does not identify any of the individuals involved in the Breachnotifications.
c. Information provided by either Party in accordance with this Section 10.02 may be “Confidential Information.” Such “Confidential Information” shall be treated in accordance with Section 12.
Appears in 1 contract
Samples: Data Processing Agreement
Breach Notification. The following provisions apply to both a HIPAA Breach and a Security Breach as defined in Section 2 (Definitions). For this Section only, the term “Breach” refers to either a HIPAA Breach or a Security Breach, each to the extent they affect HIE Pharmacy Data submitted by Submitter hereunder.
a. The Parties agree that within one (1) hour of discovering information that leads the Party to reasonably believe that a Breach may have occurred, it shall alert the other Party. As as soon as reasonably practicable, but no later than twenty-four (24) hours after determining that a Breach has occurred, the Party shall provide a Notification to the other Party. Submitter must also alert the SAS Help Desk at XXXxxxxxxx@xxx.xxx and describe the incident as soon as reasonably practicable, but no later than twenty-four (24) hours after determining that a Breach has occurred. The Notification should include sufficient information for the other Party to understand the nature of the Breach. For instance, such Notification could include, to the extent available at the time of the Notification, the following information:
1. One or two sentence description of the Breach
2. Description of the roles of the people involved in the Breach (e.g. employees, Authorized Users, service providers, unauthorized persons, etc.)
3. The type of data Breached
4. Submitters likely impacted by the Breach
5. Number of individuals or records impacted/estimated to be impacted by the Breach
6. Actions taken by the Submitter to mitigate the Breach
7. Current Status of the Breach (under investigation or resolved)
8. Corrective action taken and steps planned to be taken to prevent a similar Breach.
b. The Party reporting the Breach shall supplement the information contained in the Notification as it becomes available and cooperate with the other Party in accordance with Section 1 of this Agreement. The Notification required by this Section 10.02 shall not include any PHI. If, on the basis of the Notification, NC HIEA determines that (i) other Submitters that have not been notified of the Breach would benefit from a summary of the Notification or (ii) a summary of the Notification to the other Submitters would enhance the security of NC HealthConnex, it may provide, in a timely manner, a summary to such Submitters that does not identify any of the individuals involved in the Breach.
c. Information provided by either Party in accordance with this Section 10.02 may be “Confidential Information.” Such “Confidential Information” shall be treated in accordance with Section 12.
Appears in 1 contract
Samples: Submission Only Agreement
Breach Notification. The following provisions apply to both a HIPAA Breach and a Security Breach as defined in Section 2 (Definitions). For this Section only, the term “Breach” refers to either a HIPAA Breach or a Security Breach, each to the extent they affect HIE Data submitted by Submitter hereunder.
a. The Parties agree Each Participant agrees that within one (1) hour of discovering information that leads the Party Participant to reasonably believe that a Breach may have occurred, it shall alert other Participants whose Message Content may have been Breached and the other PartyCoordinating Committee to such information. As soon as reasonably practicable, but no later than twenty-four (24) hours after determining that a Breach has occurred, the Party Participant shall provide a Notification to all Participants likely impacted by the other PartyBreach and the Coordinating Committee of such Breach. The Notification should include sufficient information for the other Party Coordinating Committee to understand the nature of the Breach. For instance, such Notification could include, to the extent available at the time of the Notification, the following information:
1. : • One or two sentence description of the Breach
2. Breach • Description of the roles of the people involved in the Breach (e.g. employees, Authorized Participant Users, service providers, unauthorized persons, etc.)
3. ) • The type of data Breached
4. Submitters Message Content Breached • Participants likely impacted by the Breach
5. Breach • Number of individuals or records impacted/estimated to be impacted by the Breach
6. Breach • Actions taken by the Submitter Participant to mitigate the Breach
7. Breach • Current Status of the Breach (under investigation or resolved)
8. ) • Corrective action taken and steps planned to be taken to prevent a similar Breach.
b. . The Party reporting the Breach Participant shall supplement the information contained in the Notification as it becomes available and cooperate with other Participants and the other Party Coordinating Committee in accordance with Section 1 20(e) of this Agreement. The Notification required by this Section 10.02 14.03 shall not include any PHI. If, on the basis of the Notification, NC HIEA a Participant desires to stop Transacting Message Content with the Participant that reported a Breach, it shall stop Transacting Message Content in accordance with Section 12.01(b) of this Agreement. If, on the basis of the notification, the Coordinating Committee determines that (i) the other Submitters Participants that have not been notified of the Breach would benefit from a summary of the Notification or (ii) a summary of the Notification to the other Submitters Participants would enhance the security of NC HealthConnexthe Performance and Service Specifications, it may provide, in a timely manner, a summary to such Submitters Participants that does not identify any of the Participants or individuals involved in the Breach.
c. b. Information provided by either Party a Participant in accordance with this Section 10.02 14.03, except Message Content, may be “Confidential Participant Information.” Such “Confidential Participant Information” shall be treated in accordance with Section 1216.
c. This Section 14.03 shall not be deemed to supersede a Participant's obligations (if any) under relevant security incident, breach notification or confidentiality provisions of Applicable Law.
d. Compliance with this Section 14.03 shall not relieve Participants of any other security incident or breach reporting requirements under Applicable Law including, but not limited to, those related to consumers.
Appears in 1 contract