Breach Notification. Business Associate agrees to implement response programs and record-keeping systems to enable Business Associate to comply with the requirements of this Section and 13402 of the HITECH Act and the regulations implementing such provisions, currently Subpart D of Part 164 of Title 45 of the Code of Federal Regulations, when Business Associate detects or becomes aware of unauthorized access to information systems or documents that contain PHI. Business Associate agrees to mitigate any effects of the inappropriate use or disclosure of PHI by Business Associate. a) Business Associate agrees to notify Covered Entity, by facsimile or telephone, of any breach or suspected breach of its security related to areas, locations, systems, documents or electronic systems which contain unsecured PHI, including, without limitation, any Security Incident, instance of theft, fraud, deception, malfeasance, or use, access or disclosure of PHI which is inconsistent with the terms of this Agreement (an "Incident") immediately upon having reason to suspect that an Incident may have occurred, and typically prior to beginning the process of verifying that an Incident has occurred or determining the scope of any such Incident, and regardless of the potential risk of harm posed by the Incident. Notice shall be provided to the Covered Entity’s representative designated in this Agreement. Upon discovery of a breach or suspected Incident, Business Associate shall take: i. Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment; and ii. Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations. b) In the event of any such Incident, Business Associate shall further provide to Covered Entity, in writing, such details concerning the Incident as Covered Entity may request, and shall cooperate with Covered Entity, its regulators and law enforcement to assist in regaining possession of such unsecured PHI and prevent its further unauthorized use, and take any necessary remedial actions as may be required by Covered Entity to prevent other or further Incidents. c) If Covered Entity determines that it may need to notify any Individual(s) as a result of such Incident that is attributable to Business Associate's breach of its obligations under this Agreement, Business Associate shall bear all reasonable direct and indirect costs associated with such determination including, without limitation, the costs associated with providing notification to the affected Individuals, providing fraud monitoring or other services to affected Individuals and any forensic analysis required to determine the scope of the Incident. d) In addition, Business Associate agrees to update the notice provided to Covered Entity under Section 12(a) of this Agreement of such Incident to include, to the extent possible and as soon as possible working in cooperation with Covered Entity, the identification of each Individual whose unsecured PHI has been, or is reasonably believed by Business Associate to have been accessed, acquired, used or disclosed during the Incident and any of the following information Covered Entity is required to include in its notice to the Individual pursuant to 45 C.F.R. §164.404(c): i. A brief description of what happened, including the date of the Incident and the date of discovery of the Incident, if known; ii. A description of the types of unsecured PHI that were involved in the Incident (e.g. Social Security number, full name, date of birth, address, diagnosis); iii. Any steps the Individual should take to protect themselves from potential harm resulting from the Incident; iv. A brief description of what is being done to investigate the Incident, mitigate the harm and protect against future Incidents; and v. Contact procedures for Individuals to ask questions or learn additional information which shall include a toll-free number, an e-mail address, Web site, or postal address (provided, Subsection v is only applicable if Covered Entity specifically requests Business Associate to establish contact procedures). e) Such additional information must be submitted to Covered Entity immediately at the time the information becomes available to Business Associate. f) If the cause of a breach of PHI is attributable to Business Associate or its agents, subcontractors or vendors, Business Associate is responsible for all required reporting of the breach as specified in 42 U.S.C. section 17932 and its implementing regulations, including, without limitation, notification to media outlets and to the Secretary of the Department of Health & Human Services. If a breach of unsecured PHI involves more than 500 residents of the State of California or its jurisdiction, Business Associate shall notify the Secretary of the breach immediately upon discovery of the breach. If Business Associate has reason to believe that duplicate reporting of the same breach or incident may occur because its subcontractors, agents or vendors may report the breach or incident to Covered Entity in addition to Business Associate, Business Associate shall notify Covered Entity, and Covered Entity and Business Associate may take appropriate action to prevent duplicate reporting.
Appears in 5 contracts
Samples: Administration Agreement, Administration of the Small Business Health Options Program (Shop), Model Contract
Breach Notification. Business Associate agrees to implement response programs and record-keeping systems to enable Business Associate to comply with the requirements of this Section and 13402 of the HITECH Act and the regulations implementing such provisions, currently Subpart D of Part 164 of Title 45 of the Code of Federal Regulations, when Business Associate detects or becomes aware of unauthorized access to information systems or documents that contain PHI. Business Associate agrees to mitigate any effects of the inappropriate use or disclosure of PHI by Business Associate.
a) Business Associate agrees to notify Covered Entity, by facsimile or telephone, of any breach or suspected breach of its security related to areas, locations, systems, documents or electronic systems which contain unsecured PHI, including, without limitation, any Security Incident, instance of theft, fraud, deception, malfeasance, or use, access or disclosure of PHI which is inconsistent with the terms of this Agreement (an "“Incident"”) immediately upon having reason to suspect that an Incident may have occurred, and typically prior to beginning the process of verifying that an Incident has occurred or determining the scope of any such Incident, and regardless of the potential risk of harm posed by the Incident. Notice shall be provided to the Covered Entity’s representative designated in this Agreement. Upon discovery of a breach or suspected Incident, Business Associate shall take:
i. Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment; and
ii. Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations.
b) In the event of any such Incident, Business Associate shall further provide to Covered Entity, in writing, such details concerning the Incident as Covered Entity may request, and shall cooperate with Covered Entity, its regulators and law enforcement to assist in regaining possession of such unsecured PHI and prevent its further unauthorized use, and take any necessary remedial actions as may be required by Covered Entity to prevent other or further Incidents. Business Associate and Covered Entity will cooperate in developing the content of any public statements.
c) If Covered Entity determines that it may need to notify any Individual(s) as a result of such Incident that is attributable to Business Associate's ’s breach of its obligations under this Agreement, Business Associate shall bear all reasonable direct and indirect costs associated with such determination including, without limitation, the costs associated with providing notification to the affected Individuals, providing fraud monitoring or other services to affected Individuals and any forensic analysis required to determine the scope of the Incident.
d) In addition, Business Associate agrees to update the notice provided to Covered Entity under Section 12(a14(a) of this Agreement of such Incident to include, to the extent possible and as soon as possible working in cooperation with Covered Entity, the identification of each Individual whose unsecured PHI has been, or is reasonably believed by Business Associate to have been accessed, acquired, used or disclosed during the Incident and any of the following information Covered Entity is required to include in its notice to the Individual pursuant to 45 C.F.R. §§ 164.404(c):
i. A brief description of what happened, including the date of the Incident and the date of discovery of the Incident, if known;
ii. A description of the types of unsecured PHI that were involved in the Incident (e.g. e.g., Social Security number, full name, date of birth, address, diagnosis);
iii. Any steps the Individual should take to protect themselves from potential harm resulting from the Incident;
iv. A brief description of what is being done to investigate the Incident, mitigate the harm and protect against future Incidents; and
v. Contact procedures for Individuals to ask questions or learn additional information which shall include a toll-free number, an e-mail address, Web site, or postal address (provided, Subsection v is only applicable if Covered Entity specifically requests Business Associate to establish contact procedures).
e) Such additional information must be submitted to Covered Entity immediately at the time the information becomes available to Business Associate.
f) If the cause of a breach of PHI is attributable to Business Associate or its agents, subcontractors or vendors, Business Associate is responsible for all required notifications and reporting of the breach as specified in 42 U.S.C. section § 17932 and its implementing regulations, including, without limitation, individual notifications, notification to media outlets and to the Secretary of the Department of Health & Human Services. If a breach of unsecured PHI involves more than 500 residents of the State of California or its jurisdiction, Business Associate shall notify the Secretary of the breach immediately upon discovery of the breach. Such notification(s) and required reporting shall be done in cooperation with Exchange and subject to Exchange’s review and approval. If Business Associate has reason to believe that duplicate reporting of the same breach or incident may occur because its subcontractors, agents or vendors may report the breach or incident to Covered Entity in addition to Business Associate, Business Associate shall notify Covered Entity, and Covered Entity and Business Associate may take appropriate action to prevent duplicate reporting.
Appears in 4 contracts
Samples: Qualified Health Plan Contract, Qualified Health Plan Contract, Qualified Health Plan Contract
Breach Notification. Business Associate agrees to implement response programs and record-keeping systems to enable Business Associate to comply with the requirements of this Section and 13402 of the HITECH Act and the regulations implementing such provisions, currently Subpart D of Part 164 of Title 45 of the Code of Federal Regulations, when Business Associate detects or becomes aware of unauthorized access to information systems or documents that contain PHIProtected Health Information. Business Associate agrees to mitigate any effects of the inappropriate use or disclosure of PHI Protected Health Information by Business Associate.
(a) Business Associate agrees to notify Covered Entity, by facsimile or telephone, of any breach or suspected breach of its security related to areas, locations, systems, documents or electronic systems which contain unsecured PHIProtected Health Information, including, without limitation, any Security Incident, instance of theft, fraud, deception, malfeasance, or use, access or disclosure of PHI Protected Health Information which is inconsistent with the terms of this Agreement (an "“Incident"”) immediately upon having reason to suspect that an Incident may have occurred, and typically prior to beginning the process of verifying that an Incident has occurred or determining the scope of any such Incident, and regardless of the potential risk of harm posed by the Incident. Notice shall be provided to the Covered Entity’s representative designated in this Agreement. Upon discovery of a breach or suspected Incident, Business Associate shall take:
i. (i) Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment; and
(ii. ) Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations.
(b) In the event of any such Incident, Business Associate shall further provide to Covered Entity, in writing, such details concerning the Incident as Covered Entity may request, and shall cooperate with Covered Entity, its regulators and law enforcement to assist in regaining possession of such unsecured PHI Protected Health Information and prevent its further unauthorized use, and take any necessary remedial actions as may be required by Covered Entity to prevent other or further Incidents. Business Associate and Covered Entity will cooperate in developing the content of any public statements.
(c) If Covered Entity determines that it may need to notify any Individual(s) as a result of such Incident that is attributable to Business Associate's ’s breach of its obligations under this Agreement, Business Associate shall bear all reasonable direct and indirect costs associated with such determination including, without limitation, the costs associated with providing notification to the affected Individuals, providing fraud monitoring or other services to affected Individuals and any forensic analysis required to determine the scope of the Incident.
(d) In addition, Business Associate agrees to update the notice provided to Covered Entity under Section 12(a14(a) of this Agreement of such Incident to include, to the extent possible and as soon as possible working in cooperation with Covered Entity, the identification of each Individual whose unsecured PHI Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired, used or disclosed during the Incident and any of the following information Covered Entity is required to include in its notice to the Individual pursuant to 45 C.F.R. §§ 164.404(c):
i. (i) A brief description of what happened, including the date of the Incident and the date of discovery of the Incident, if known;
(ii. ) A description of the types of unsecured PHI Protected Health Information that were involved in the Incident (e.g. e.g., Social Security number, full name, date of birth, address, diagnosis);
(iii. ) Any steps the Individual should take to protect themselves from potential harm resulting from the Incident;
(iv. ) A brief description of what is being done to investigate the Incident, mitigate the harm and protect against future Incidents; and
v. (v) Contact procedures for Individuals to ask questions or learn additional information which shall include a toll-free number, an e-mail address, Web site, or postal address (provided, Subsection v is only applicable if Covered Entity specifically requests Business Associate to establish contact procedures).
(e) Such additional information must be submitted to Covered Entity immediately at the time the information becomes available to Business Associate.
(f) If the cause of a breach of PHI Protected Health Information is attributable to Business Associate or its agents, subcontractors or vendors, Business Associate is responsible for all required notifications and reporting of the breach as specified in 42 U.S.C. section § 17932 and its implementing regulations, including, without limitation, individual notifications, notification to media outlets and to the Secretary of the Department of Health & Human Services. If a breach of unsecured PHI Protected Health Information involves more than 500 residents of the State of California or its jurisdiction, Business Associate shall notify the Secretary of the breach immediately upon discovery of the breach. Such notification(s) and required reporting shall be done in cooperation with Exchange and subject to Exchange’s review and approval. If Business Associate has reason to believe that duplicate reporting of the same breach or incident may occur because its subcontractors, agents or vendors may report the breach or incident to Covered Entity in addition to Business Associate, Business Associate shall notify Covered Entity, and Covered Entity and Business Associate may take appropriate action to prevent duplicate reporting.
Appears in 4 contracts
Samples: Qualified Health Plan Contract, Stand Alone Dental Plan Contract, Stand Alone Dental Plan Contract
Breach Notification. The AGO will comply with the notification provisions of the HIPAA Rules in the event of a Breach of Unsecured PHI. Any suspected Breach of Unsecured PHI by the AGO will be immediately reported to the Privacy Officer. The Privacy officer will promptly investigate and determine whether a Breach of Unsecured PHI has occurred. A Breach is presumed to have occurred if there is an unauthorized access, acquisition, or disclosure of Unsecured PHI unless the AGO can show that there is a low probability that the information was compromised based on a risk assessment of:
a. The nature and extent of the PHI involved;
b. The unauthorized person who used the PHI or to whom the Disclosure was made;
c. Whether the PHI was actually acquired or viewed; and
d. The extent to which the risk to the PHI has been mitigated. A Breach does not include any of the following:
a. An unintentional acquisition, access, or use of PHI by a workforce member or a person acting under the authority of a Covered Entity or Business Associate agrees if the acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in an impermissible manner;
b. Any inadvertent disclosure by someone who is authorized to implement response programs and record-keeping systems to enable access PHI at a Covered Entity or Business Associate to comply with another person authorized to access PHI at the requirements of this Section and 13402 of the HITECH Act same entity and the regulations implementing such provisions, currently Subpart D of Part 164 of Title 45 of the Code of Federal Regulations, when Business Associate detects or becomes aware of unauthorized access to information systems or documents that contain PHI. Business Associate agrees to mitigate any effects of the inappropriate use or disclosure of PHI by Business Associate.
a) Business Associate agrees to notify Covered Entity, by facsimile or telephone, of any breach or suspected breach of its security related to areas, locations, systems, documents or electronic systems which contain unsecured PHI, including, without limitation, any Security Incident, instance of theft, fraud, deception, malfeasance, or use, access or disclosure of PHI which is inconsistent with the terms of this Agreement (an "Incident") immediately upon having reason to suspect that an Incident may have occurred, and typically prior to beginning the process of verifying that an Incident has occurred or determining the scope of any such Incident, and regardless of the potential risk of harm posed by the Incident. Notice shall be provided to the Covered Entity’s representative designated in this Agreement. Upon discovery of a breach or suspected Incident, Business Associate shall take:
i. Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment; and
ii. Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations.
b) In the event of any such Incident, Business Associate shall further provide to Covered Entity, in writing, such details concerning the Incident as Covered Entity may request, and shall cooperate with Covered Entity, its regulators and law enforcement to assist in regaining possession of such unsecured PHI and prevent its further unauthorized use, and take any necessary remedial actions as may be required by Covered Entity to prevent other or further Incidents.
c) If Covered Entity determines that it may need to notify any Individual(s) received as a result of such Incident that the disclosure is attributable to Business Associate's breach of its obligations under this Agreement, Business Associate shall bear all reasonable direct and indirect costs associated with such determination including, without limitation, the costs associated with providing notification to the affected Individuals, providing fraud monitoring or other services to affected Individuals and any forensic analysis required to determine the scope of the Incident.
d) In addition, Business Associate agrees to update the notice provided to Covered Entity under Section 12(a) of this Agreement of such Incident to include, to the extent possible and as soon as possible working in cooperation with Covered Entity, the identification of each Individual whose unsecured PHI has been, or is reasonably believed by Business Associate to have been accessed, acquired, not further used or disclosed during in an impermissible manner;
c. A disclosure of PHI where a Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the Incident and any disclosure was made would not reasonably have been able to retain such information. If the Privacy Officer determines that the AGO has experienced a Breach of Unsecured PHI, he will notify the Covered Entity whose PHI is affected by the Breach within 60 days after the Breach was discovered, unless a law enforcement official asks the AGO not to report the Breach under 45 C.F.R. §164.412. A Breach is discovered when the AGO knows of the Breach or, by exercising reasonable diligence, an individual who is an employee, officer, or agent of the AGO would have known about the breach. The AGO will provide the Covered Entity with the following information Covered Entity is required to include in its notice to regarding the Individual pursuant to 45 C.F.R. §164.404(c):Breach:
i. a. The identity of the individual(s) whose Unsecured PHI was improperly accessed, used, or disclosed;
b. A brief description of what happened, including the date of the Incident Breach and the date of discovery of the IncidentBreach, if known;
ii. c. A description of the types of unsecured Unsecured PHI that were involved in the Incident Breach (e.g. Social Security numbere.g., full name, date of birthSSN, addressdiagnosis code, diagnosisetc.);
iii. d. Any steps the Individual individuals should take to protect themselves from potential harm resulting from the IncidentBreach;
iv. e. A brief description of what the AGO is being done doing to investigate the IncidentBreach, mitigate the harm to individuals, and protect against future Incidentsfurther Breaches; and
v. f. Contact procedures for Individuals individuals to ask questions or learn additional information which shall will include a toll-free telephone number, an e-mail email address, Web sitewebsite, or postal address (provided, Subsection v is only applicable if Covered Entity specifically requests Business Associate to establish contact procedures).
e) Such additional information must be submitted to Covered Entity immediately at address. The AGO has the time the information becomes available to Business Associate.
f) If the cause burden of a breach of PHI is attributable to Business Associate or its agents, subcontractors or vendors, Business Associate is responsible for proving that all required reporting notifications were made and that a given use or disclosure of the breach as specified in 42 U.S.C. section 17932 and its implementing regulations, including, without limitation, notification to media outlets and to the Secretary of the Department of Health & Human Services. If Unsecured PHI did not constitute a breach of unsecured PHI involves more than 500 residents of the State of California or its jurisdiction, Business Associate shall notify the Secretary of the breach immediately upon discovery of the breach. If Business Associate has reason to believe that duplicate reporting of the same breach or incident may occur because its subcontractors, agents or vendors may report the breach or incident to Covered Entity in addition to Business Associate, Business Associate shall notify Covered Entity, and Covered Entity and Business Associate may take appropriate action to prevent duplicate reportingBreach.
Appears in 3 contracts
Samples: Consulting Agreement, Consulting Agreement, Consulting Agreement
Breach Notification. Business Associate agrees to implement response programs and record-keeping systems to enable Business Associate to comply with the requirements of this Section and 13402 of the HITECH Act and the regulations implementing such provisionsshall, currently Subpart D of Part 164 of Title 45 of the Code of Federal Regulations, when Business Associate detects or becomes aware of unauthorized access to information systems or documents that contain PHI. Business Associate agrees to mitigate any effects of the inappropriate use or disclosure of PHI by Business Associate.
a) Business Associate agrees to notify Covered Entity, by facsimile or telephone, of any breach or suspected breach of its security related to areas, locations, systems, documents or electronic systems which contain unsecured PHI, including, without limitation, any Security Incident, instance of theft, fraud, deception, malfeasance, or use, access or disclosure of PHI which is inconsistent with the terms of this Agreement (an "Incident") immediately upon having reason to suspect that an Incident may have occurred, and typically prior to beginning the process of verifying that an Incident has occurred or determining the scope of any such Incident, and regardless of the potential risk of harm posed by the Incident. Notice shall be provided to the Covered Entity’s representative designated in this Agreement. Upon discovery of a breach or suspected Incident, Business Associate shall take:
i. Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment; and
ii. Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations.
b) In the event of any such Incident, Business Associate shall further provide to Covered Entity, in writing, such details concerning the Incident as Covered Entity may request, and shall cooperate with Covered Entity, its regulators and law enforcement to assist in regaining possession of such unsecured PHI and prevent its further unauthorized use, and take any necessary remedial actions as may be required by Covered Entity to prevent other or further Incidents.
c) If extent Covered Entity determines that it may need to notify any Individual(s) as there has been a result Breach of such Incident that is attributable to Unsecured Protected Health Information, provide Breach notification for each and every Breach of Unsecured Protected Health Information by Business Associate's breach of , its employees, representatives, agents or subcontractors, in a manner that permits Covered Entity to comply with its obligations under this AgreementSubpart D, Business Associate shall bear all reasonable direct and indirect costs associated with such determination includingNotification in the Case of Breach of Unsecured PHI, without limitation, the costs associated with providing notification to the affected Individuals, providing fraud monitoring or other services to affected Individuals and any forensic analysis required to determine the scope of the Incident.Privacy and Security Regulations, including:
d(a) In addition, Business Associate agrees to update the notice provided to Covered Entity under Section 12(a) of this Agreement of such Incident to include, to the extent possible and as soon as possible working in cooperation with Covered Entity, the identification of Notifying each Individual whose unsecured PHI Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been been, accessed, acquired, used Used, or disclosed during the Incident and any Disclosed as a result of the following information Covered Entity is such Breach;
(b) The notification required to include in its notice by paragraph (a) of this Section 2.6 shall include, to the Individual pursuant to 45 C.F.R. §164.404(c):extent possible:
i. (i) A brief description of what happened, including the date of the Incident Breach and the date of the discovery of the IncidentBreach, if known;
(ii. ) A description of the types of unsecured PHI Unsecured Protected Health Information that were involved in the Incident Breach (e.g. Social Security number, such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(iii. ) Any steps the Individual should take to protect themselves him or herself from potential harm resulting from the IncidentBreach;
(iv. ) A brief description of what Business Associate is being done doing to investigate the IncidentBreach, to mitigate the harm to individuals, and to protect against future Incidentsany further Breaches; and
v. (v) Contact procedures for Individuals Individual(s) to ask questions or learn additional information information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address (provided, Subsection v is only applicable if Covered Entity specifically requests Business Associate to establish contact procedures)address.
e(vi) Such additional information must The notification required by paragraph (a) of this section shall be submitted written in plain language Covered Entity, in its sole discretion, may elect to Covered Entity immediately at provide the time the information becomes available to Business Associate.
f) If the cause of a breach of PHI is attributable to Business Associate or its agentsnotification required by this Section 2.6, subcontractors or vendors, Business Associate is responsible for all required reporting of the breach as specified in 42 U.S.C. section 17932 and its implementing regulations, including, without limitation, notification to media outlets and to the Secretary of the Department of Health & Human Services. If a breach of unsecured PHI involves more than 500 residents of the State of California or its jurisdiction, Business Associate shall notify the Secretary of the breach immediately upon discovery of the breach. If Business Associate has reason to believe that duplicate reporting of the same breach or incident may occur because its subcontractors, agents or vendors may report the breach or incident to reimburse Covered Entity in addition to Business Associate, Business Associate shall notify any and all costs incurred by Covered Entity, and Covered Entity and including costs of notification, internet posting, or media publication, as a result of Business Associate may take appropriate action to prevent duplicate reportingAssociate's Breach of Unsecured Protected Health Information.
Appears in 3 contracts
Samples: Custodial Services Agreement, Master Agreement, Business Associate Agreement
Breach Notification. Business Associate agrees to implement response programs and record-keeping systems to enable Business Associate to comply with In the requirements of this Section and 13402 of the HITECH Act and the regulations implementing such provisions, currently Subpart D of Part 164 of Title 45 of the Code of Federal Regulations, when Business Associate detects or becomes aware of unauthorized access to information systems or documents that contain PHI. Business Associate agrees to mitigate any effects of the inappropriate use or disclosure of PHI by Business Associate.
a) Business Associate agrees to notify Covered Entity, by facsimile or telephone, of any breach or suspected breach of its security related to areas, locations, systems, documents or electronic systems which contain unsecured PHI, including, without limitation, any Security Incident, instance of theft, fraud, deception, malfeasance, or use, access or disclosure of PHI which is inconsistent with the terms of this Agreement (an "Incident") immediately upon having reason to suspect that an Incident may have occurred, and typically prior to beginning the process of verifying that an Incident has occurred or determining the scope of any such Incident, and regardless of the potential risk of harm posed by the Incident. Notice shall be provided to the Covered Entity’s representative designated in this Agreement. Upon discovery event of a breach of Protected Health Information, as defined by HIPAA and/or the HITECH Act, the Business Associate and/or the Covered Entity shall have certain reporting requirements. If there is a breach or suspected Incidentperceived breach of Protected Health Information, Business Associate shall take:
i. Prompt corrective action to mitigate any risks or damages involved with immediately, and within no event later than five (5) days of discovery of a Breach, notify the breach and to protect the operating environment; and
ii. Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations.
b) In the event of any such Incident, Business Associate shall further provide to Covered Entity, in writing, such details concerning the Incident as Covered Entity may request, and shall cooperate with Covered Entity, its regulators and law enforcement to assist in regaining possession of such unsecured PHI and prevent its further unauthorized use, and take any necessary remedial actions as may be required by Covered Entity to prevent other or further Incidents.
c) If Covered Entity determines that it may need to notify any Individual(s) as a result of such Incident that is attributable to Business Associate's breach of its obligations under this Agreement, Business Associate shall bear all reasonable direct and indirect costs associated with such determination including, without limitation, the costs associated with providing notification to the affected Individuals, providing fraud monitoring or other services to affected Individuals and any forensic analysis required to determine the scope writing of the Incident.
d) In addition, Business Associate agrees to update the notice provided to Covered Entity under Section 12(a) of this Agreement of such Incident to include, to the extent possible occurrence and as soon as possible working in cooperation with Covered Entity, the identification of each Individual identify all individuals whose unsecured PHI Protected Health Information has been, or is reasonably believed to have been Breached, provided however, that such period may be extended in the event a law enforcement official provides notice requiring a delay of notification. Business Associate shall immediately, and within no event later than five (5) days of discovery of a Breach, provide Covered Entity with all information required by HIPAA and all information requested by Covered Entity and full details related to the Breach. Business Associate agrees that Covered Entity shall have the right to determine whether notice is to be provided to any Individual, regulator, law enforcement agency, consumer reporting agency, media outlet, and/or HHS, or others as required by law or regulation. Business Associate shall cooperate and assist Covered Entity fully with Covered Entity in Covered Entity’s investigation of any Breach, including providing access to facilities, facilitating interviews with employees and others involved in the matter, and making available all records, logs, files, systems, and data related in any way to the Protected Health Information and/or the Breach, as well as in making the notification to third parties required by law in the event of a Breach by Business Associate to have been accessed, acquired, used or disclosed during the Incident and any of the following information Covered Entity is required to include in its notice to the Individual pursuant to 45 C.F.R. §164.404(c):
i. A brief description of what happened, including the date of the Incident and the date of discovery of the Incident, if known;
ii. A description of the types of unsecured PHI that were involved in the Incident (e.g. Social Security number, full name, date of birth, address, diagnosis);
iii. Any steps the Individual should take to protect themselves from potential harm resulting from the Incident;
iv. A brief description of what is being done to investigate the Incident, mitigate the harm and protect against future Incidents; and
v. Contact procedures for Individuals to ask questions or learn additional information which shall include a toll-free number, an e-mail address, Web site, or postal address (provided, Subsection v is only applicable if Covered Entity specifically requests Business Associate to establish contact procedures).
e) Such additional information must be submitted to Covered Entity immediately at the time the information becomes available to and/or Business Associate.
f) If the cause of a breach of PHI is attributable to Business Associate ’s agents or its agents, subcontractors or vendors, Business Associate is responsible for all required reporting of the breach as specified in 42 U.S.C. section 17932 and its implementing regulations, including, without limitation, notification to media outlets and to the Secretary of the Department of Health & Human Servicessubcontractors. If a breach of unsecured PHI involves more than 500 residents of the State of California or its jurisdiction, Business Associate shall notify the Secretary of the breach immediately upon discovery of the breach. If Business Associate has reason bear all costs and expenses involved or related to believe that duplicate reporting of the same breach or incident may occur because its subcontractorssuch notification and in mitigating harm to those Individuals, agents or vendors may report the breach or incident to Covered Entity in addition to Business Associate, and Business Associate shall notify Covered Entity, and reimburse Covered Entity for any costs or expenses Covered Entity incurs in relation to the Breach and in mitigating its consequences. Breach shall include for purposes of this section any actual or suspected breach of security or unauthorized use of disclosure of PHI. Business Associate acknowledges that it may take appropriate action to prevent duplicate reportingbe directly liable for civil and/or criminal penalties or fines upon an intentional Breach of PHI, HIPAA, and/or breach of this Agreement.
Appears in 1 contract
Samples: Licensing Procedure
Breach Notification. Business B usiness Associate agrees to implement response programs and record-keeping systems to enable Business Associate to comply with the requirements of this Section and 13402 of the HITECH Act and the regulations implementing such provisions, currently Subpart D of Part 164 of Title 45 of the Code of Federal Regulations, when Business Associate detects or becomes aware of unauthorized access to information systems or documents that contain PHI. Business Associate agrees to mitigate any effects of the inappropriate use or disclosure of PHI by Business Associate.
a) Business Associate agrees to notify Covered Entity, by facsimile or telephone, of any breach or suspected breach of its security related to areas, locations, systems, documents or electronic systems which contain unsecured PHI, including, without limitation, any Security Incident, instance of theft, fraud, deception, malfeasance, or use, access or disclosure of PHI which is inconsistent with the terms of this Agreement (an "Incident") immediately upon having reason to suspect that an Incident may have occurred, and typically prior to beginning the process of verifying that an Incident has occurred or determining the scope of any such Incident, and regardless of the potential risk of harm posed by the Incident. Notice shall be provided to the Covered Entity’s representative designated in this Agreement. Upon discovery of a breach or suspected Incident, Business Associate shall take:
i. Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment; and
ii. Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations.
b) In the event of any such Incident, Business Associate shall further provide to Covered Entity, in writing, such details concerning the Incident as Covered Entity may request, and shall cooperate with Covered Entity, its regulators and law enforcement to assist in regaining possession of such unsecured PHI and prevent its further unauthorized use, and take any necessary remedial actions as may be required r equired by Covered Entity to prevent other or further Incidents.
c) If Covered Entity determines that it may need to notify any Individual(s) as a result r esult of such Incident that is attributable to Business Associate's breach of its obligations under this Agreement, Business Associate shall bear all reasonable direct and indirect costs associated with such determination including, without limitation, the costs associated with providing notification to the affected Individuals, providing fraud monitoring or other services to affected Individuals and any forensic analysis required to determine the scope of the Incident.
d) In addition, Business Associate agrees to update the notice provided to Covered Entity under Section 12(a) of this Agreement of such Incident to include, to the extent possible and as soon as possible working in cooperation with Covered Entity, the identification of each Individual whose unsecured PHI has been, or is reasonably believed by Business Associate to have been accessed, acquired, used or disclosed during the Incident and any of the following information Covered Entity is required to include in its notice to the Individual pursuant to 45 C.F.R. §164.404(c):
i. A brief description of what happened, including the date of the Incident and the date of discovery of the Incident, if known;
ii. A description of the types of unsecured PHI that were involved in the Incident (e.g. Social Security number, full name, date of birth, address, diagnosis);
iii. Any steps the Individual should take to protect themselves from potential harm resulting from the Incident;
iv. A brief description of what is being done to investigate the Incident, mitigate the harm and protect against future Incidents; and
v. Contact procedures for Individuals to ask questions or learn additional information which shall include a toll-free number, an e-mail address, Web site, or postal address (provided, Subsection v is only applicable if Covered Entity specifically requests Business Associate to establish contact procedures).
e) Such additional information must be submitted to Covered Entity immediately at the time the information becomes available to Business Associate.
f) If the cause of a breach of PHI is attributable to Business Associate or its agents, subcontractors or vendors, Business Associate is responsible for all required reporting of the breach as specified in 42 U.S.C. section 17932 and its implementing regulations, including, without limitation, notification to media outlets and to the Secretary of the Department of Health & Human Services. If I f a breach of unsecured PHI involves more than 500 residents of the State of California or its jurisdiction, Business Associate shall notify the Secretary of the breach immediately upon discovery of the breach. If I f Business Associate has reason to believe that duplicate reporting of the same breach or incident may occur because its subcontractors, agents or vendors may report the breach or incident to Covered Entity in addition to Business Associate, Business Associate shall notify Covered Entity, and Covered Entity and Business Associate may take appropriate action to prevent duplicate reporting.
Appears in 1 contract
Samples: Standard Agreement
Breach Notification. Business Associate agrees to implement response programs and record-keeping systems to enable Business Associate to comply with the requirements of this Section and 13402 of the HITECH Act and the regulations implementing such provisions, currently Subpart D of Part 164 of Title 45 of the Code of Federal Regulations, when Business Associate detects or becomes aware of unauthorized access to information systems or documents that contain PHIProtected Health Information. Business Associate agrees to mitigate any effects of the inappropriate use or disclosure of PHI Protected Health Information by Business Associate.
(a) Business Associate agrees to notify Covered Entity, by facsimile or telephone, of any breach or suspected breach of its security related to areas, locations, systems, documents or electronic systems which contain unsecured PHIProtected Health Information, including, without limitation, any Security Incident, instance of theft, fraud, deception, malfeasance, or use, access or disclosure of PHI Protected Health Information which is inconsistent with the terms of this Agreement (an "“Incident"”) immediately upon having reason to suspect that an Incident may have occurred, and typically prior to beginning the process of verifying that an Incident has occurred or determining the scope of any such Incident, and regardless of the potential risk of harm posed by the Incident. Notice shall be provided to the Covered Entity’s representative designated in this Agreement. Upon discovery of a breach or suspected Incident, Business Associate shall take:
i. (i) Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment; and
(ii. ) Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations.
(b) In the event of any such Incident, Business Associate shall further provide to Covered Entity, in writing, such details concerning the Incident as Covered Entity may request, and shall cooperate with Covered Entity, its regulators and law enforcement to assist in regaining possession of such unsecured PHI Protected Health Information and prevent its further unauthorized use, and take any necessary remedial actions as may be required by Covered Entity to prevent other or further Incidents.. Business Associate and Covered Entity will cooperate in developing the content of any public stateme nts. Covered California – Final Health Plan Contract Attachments, May 620117, 2013 Attachment 15-4
(c) If Covered Entity determines that it may need to notify any Individual(s) as a result of such Incident that is attributable to Business Associate's ’s breach of its obligations under this Agreement, Business Associate shall bear all reasonable direct and indirect costs associated with such determination including, without limitation, the costs associated with providing notification to the affected Individuals, providing fraud monitoring or other services to affected Individuals and any forensic analysis required to determine the scope of the Incident.
(d) In addition, Business Associate agrees to update the notice provided to Covered Entity under Section 12(a14(a) of this Agreement of such Incident to include, to the extent possible and as soon as possible working in cooperation with Covered Entity, the identification of each Individual whose unsecured PHI Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired, used or disclosed during the Incident and any of the following information Covered Entity is required to include in its notice to the Individual pursuant to 45 C.F.R. §§ 164.404(c):
i. (i) A brief description of what happened, including the date of the Incident and the date of discovery of the Incident, if known;
(ii. ) A description of the types of unsecured PHI Protected Health Information that were involved in the Incident (e.g. e.g., Social Security number, full name, date of birth, address, diagnosis);
(iii. ) Any steps the Individual should take to protect themselves from potential harm resulting from the Incident;
(iv. ) A brief description of what is being done to investigate the Incident, mitigate the harm and protect against future Incidents; and
v. (v) Contact procedures for Individuals to ask questions or learn additional information which shall include a toll-free number, an e-mail address, Web site, or postal address (provided, Subsection v is only applicable if Covered Entity specifically requests Business Associate to establish contact procedures).
(e) Such additional information must be submitted to Covered Entity immediately at the time the information becomes available to Business Associate.
(f) If the cause of a breach of PHI Protected Health Information is attributable to Business Associate or its agents, subcontractors or vendors, Business Associate is responsible for all required notifications and reporting of the breach as specified in 42 U.S.C. section § 17932 and its implementing regulations, including, without limitation, individual notifications, notification to media outlets and to the Secretary of the Department of Health & Human Services. If a breach of unsecured PHI Protected Health Information involves more than 500 residents of the State of California or its jurisdiction, Business Associate shall notify the Secretary of the breach immediately upon discovery of the breach. Such notification(s) and required reporting shall be done in cooperation with Exchange and subject to Exchange’s review and approval. If Business Associate has reason to believe that duplicate reporting of the same breach or incident may occur because its subcontractors, agents or vendors may report the breach or incident to Covered Entity in addition to Business Associate, Business Associate shall notify Covered Entity, and Covered Entity and Business Associate may take appropriate action to prevent duplicate reporting.. Covered California – Final Health Plan Contract Attachments, May 620117, 2013 Attachment 15-5
Appears in 1 contract
Samples: Qualified Health Plan Contract
Breach Notification. Business Associate agrees to implement response programs and record-keeping systems to enable Business Associate to comply with In the requirements of this Section and 13402 of the HITECH Act and the regulations implementing such provisions, currently Subpart D of Part 164 of Title 45 of the Code of Federal Regulations, when Business Associate detects or event Service Provider becomes aware of unauthorized access any Security Breach, Service Provider shall, (i) immediately notify Company’s Chief Compliance Officer of such Security Breach and perform a root cause analysis thereon, (ii) investigate such Security Breach, (iii) provide a remediation plan, acceptable to information systems or documents that contain PHI. Business Associate agrees Company, to mitigate address the Security Breach and prevent any effects of the inappropriate use or disclosure of PHI by Business Associate.
afurther incidents, (iv) Business Associate agrees conduct a forensic investigation to notify Covered Entity, by facsimile or telephone, of any breach or suspected breach of its security related to areas, locations, determine what systems, documents or electronic systems which contain unsecured PHI, including, without limitationdata and information have been affected by such event; and (v) cooperate with Company, any law enforcement or regulatory officials, credit reporting companies, and credit card associations investigating such Security IncidentBreach. Subsequent to the initial response to any Security Breach as set forth above, instance the parties shall cooperate in good faith to determine financial responsibility for such event, as follows. If the Security Breach is a result of theft, fraud, deception, malfeasance, an act or use, access or disclosure omission of PHI which is inconsistent Service Provider other than in accordance with the terms of this Agreement (an "Incident") immediately upon having reason to suspect that an Incident may have occurredAgreement, and typically prior to beginning including the process of verifying that an Incident has occurred or determining the scope of any applicable SOW, such Incident, and regardless of the potential risk of harm posed by the Incident. Notice corrective actions shall be provided by Service Provider at its own expense. If the Security Breach does not result from an act or omission of Provider other than in accordance with the terms of this Agreement, including the applicable SOW, such corrective actions shall be provided pursuant to the Covered EntityChange Control Procedures. Without limiting the foregoing, Company shall make the final decision on notifying Company’s representative designated in this Agreementcustomers, employees, service providers and/or the general public of such Security Breach, and the implementation of the remediation plan. Upon discovery If a notification to a customer is required under any Law or pursuant to any of a breach Company’s privacy or suspected Incidentsecurity policies, Business Associate then notifications to all customers who are affected by the same event (as reasonably determined by Company) shall take:
i. Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment; and
iibe considered legally required. Any action pertaining changes to such unauthorized disclosure required by applicable Federal and State laws and regulations.
b) In the event of any such Incident, Business Associate shall further provide to Covered Entity, in writing, such details concerning the Incident as Covered Entity may request, and shall cooperate with Covered Entity, its regulators and law enforcement to assist in regaining possession of such unsecured PHI and prevent its further unauthorized use, and take any Services necessary remedial actions as may be required by Covered Entity to prevent other or further Incidents.
c) If Covered Entity determines that it may need to notify any Individual(s) as a result of such Incident that is attributable to Business Associate's breach of its obligations under this Agreement, Business Associate Security Breach which constitute Additional Services (as defined in the Charges Schedule) shall bear all reasonable direct and indirect costs associated with such determination including, without limitation, the costs associated with providing notification be subject to the affected Individuals, providing fraud monitoring or other services to affected Individuals and any forensic analysis required to determine the scope of the IncidentChange Control Procedures.
d) In addition, Business Associate agrees to update the notice provided to Covered Entity under Section 12(a) of this Agreement of such Incident to include, to the extent possible and as soon as possible working in cooperation with Covered Entity, the identification of each Individual whose unsecured PHI has been, or is reasonably believed by Business Associate to have been accessed, acquired, used or disclosed during the Incident and any of the following information Covered Entity is required to include in its notice to the Individual pursuant to 45 C.F.R. §164.404(c):
i. A brief description of what happened, including the date of the Incident and the date of discovery of the Incident, if known;
ii. A description of the types of unsecured PHI that were involved in the Incident (e.g. Social Security number, full name, date of birth, address, diagnosis);
iii. Any steps the Individual should take to protect themselves from potential harm resulting from the Incident;
iv. A brief description of what is being done to investigate the Incident, mitigate the harm and protect against future Incidents; and
v. Contact procedures for Individuals to ask questions or learn additional information which shall include a toll-free number, an e-mail address, Web site, or postal address (provided, Subsection v is only applicable if Covered Entity specifically requests Business Associate to establish contact procedures).
e) Such additional information must be submitted to Covered Entity immediately at the time the information becomes available to Business Associate.
f) If the cause of a breach of PHI is attributable to Business Associate or its agents, subcontractors or vendors, Business Associate is responsible for all required reporting of the breach as specified in 42 U.S.C. section 17932 and its implementing regulations, including, without limitation, notification to media outlets and to the Secretary of the Department of Health & Human Services. If a breach of unsecured PHI involves more than 500 residents of the State of California or its jurisdiction, Business Associate shall notify the Secretary of the breach immediately upon discovery of the breach. If Business Associate has reason to believe that duplicate reporting of the same breach or incident may occur because its subcontractors, agents or vendors may report the breach or incident to Covered Entity in addition to Business Associate, Business Associate shall notify Covered Entity, and Covered Entity and Business Associate may take appropriate action to prevent duplicate reporting.
Appears in 1 contract
Breach Notification. Business Associate agrees to implement response programs and record-keeping systems to enable Business Associate to comply with the requirements of this Section and 13402 of the HITECH Act and the regulations implementing such provisions, currently Subpart D of Part 164 of Title 45 of the Code of Federal Regulations, when Business Associate detects or becomes aware of unauthorized access to information systems or documents that contain PHIProtected Health Information. Business Associate agrees to mitigate any effects of the inappropriate use or disclosure of PHI Protected Health Information by Business Associate.
(a) Business Associate agrees to notify Covered Entity, by facsimile or telephone, of any breach or suspected breach of its security related to areas, locations, systems, documents or electronic systems which contain unsecured PHIProtected Health Information, including, without limitation, any Security Incident, instance of theft, fraud, deception, malfeasance, or use, access or disclosure of PHI Protected Health Information which is inconsistent with the terms of this Agreement (an "“Incident"”) immediately upon having reason to suspect that an Incident may have occurred, and typically prior to beginning the process of verifying that an Incident has occurred or determining the scope of any such Incident, and regardless of the potential risk of harm posed by the Incident. Notice shall be provided to the Covered Entity’s representative designated in this Agreement. Upon discovery of a breach or suspected Incident, Business Associate shall take:
i. (i) Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment; and
(ii. ) Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations.
(b) In the event of any such Incident, Business Associate shall further provide to Covered Entity, in writing, such details concerning the Incident as Covered Entity may request, and shall cooperate with Covered Entity, its regulators and law enforcement to assist in regaining possession of such unsecured PHI Protected Health Information and prevent its further unauthorized use, and take any necessary remedial actions as may be required by Covered Entity to prevent other or further Incidents. Business Associate and Covered Entity will cooperate in developing the content of any public stateme nts.
(c) If Covered Entity determines that it may need to notify any Individual(s) as a result of such Incident that is attributable to Business Associate's ’s breach of its obligations under this Agreement, Business Associate shall bear all reasonable direct and indirect costs associated with such determination including, without limitation, the costs associated with providing notification to the affected Individuals, providing fraud monitoring or other services to affected Individuals and any forensic analysis required to determine the scope of the Incident.
(d) In addition, Business Associate agrees to update the notice provided to Covered Entity under Section 12(a14(a) of this Agreement of such Incident to include, to the extent possible and as soon as possible working in cooperation with Covered Entity, the identification of each Individual whose unsecured PHI Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired, used or disclosed during the Incident and any of the following information Covered Entity is required to include in its notice to the Individual pursuant to 45 C.F.R. §§ 164.404(c):
i. (i) A brief description of what happened, including the date of the Incident and the date of discovery of the Incident, if known;
(ii. ) A description of the types of unsecured PHI Protected Health Information that were involved in the Incident (e.g. e.g., Social Security number, full name, date of birth, address, diagnosis);
(iii. ) Any steps the Individual should take to protect themselves from potential harm resulting from the Incident;
(iv. ) A brief description of what is being done to investigate the Incident, mitigate the harm and protect against future Incidents; and
v. (v) Contact procedures for Individuals to ask questions or learn additional information which shall include a toll-free number, an e-mail address, Web site, or postal address (provided, Subsection v is only applicable if Covered Entity specifically requests Business Associate to establish contact procedures).
(e) Such additional information must be submitted to Covered Entity immediately at the time the information becomes available to Business Associate.
(f) If the cause of a breach of PHI Protected Health Information is attributable to Business Associate or its agents, subcontractors or vendors, Business Associate is responsible for all required notifications and reporting of the breach as specified in 42 U.S.C. section § 17932 and its implementing regulations, including, without limitation, individual notifications, notification to media outlets and to the Secretary of the Department of Health & Human Services. If a breach of unsecured PHI Protected Health Information involves more than 500 residents of the State of California or its jurisdiction, Business Associate shall notify the Secretary of the breach immediately upon discovery of the breach. Such notification(s) and required reporting shall be done in cooperation with Exchange and subject to Exchange’s review and approval. If Business Associate has reason to believe that duplicate reporting of the same breach or incident may occur because its subcontractors, agents or vendors may report the breach or incident to Covered Entity in addition to Business Associate, Business Associate shall notify Covered Entity, and Covered Entity and Business Associate may take appropriate action to prevent duplicate reporting.
Appears in 1 contract
Samples: Qualified Health Plan Contract
Breach Notification. Without unreasonable delay and in no case later than ten (10) days after discovering a Breach involving PHI that is Unsecured Protected Health Information, Business Associate agrees shall report such Breach to implement response programs Covered Entity in writing, setting forth the date of discovery thereof, the identities of affected individuals (or, if such identities are unknown at that time, the classes of such individuals), a general description of the nature of the incident, and record-keeping systems such other information as is required pursuant to enable HIPAA or reasonably requested by Covered Entity. For purposes hereof, a Breach shall be deemed discovered by Business Associate when it is known to comply with the requirements of this Section and 13402 of the HITECH Act and the regulations implementing such provisions, currently Subpart D of Part 164 of Title 45 of the Code of Federal Regulations, when Business Associate detects or becomes aware of unauthorized access or, by exercising reasonable diligence, would have been known to information systems or documents that contain PHIBusiness Associate. Business Associate agrees shall report to mitigate Covered Entity in writing any effects of the inappropriate use or disclosure of PHI that is not permitted by this BAA, other than a Breach involving PHI that is Unsecured Protected Health Information, within thirty (30) days of Business Associate’s discovery thereof. Business Associate shall report to Covered Entity in writing any Security Incident involving PHI that is Electronic Protected Health Information within thirty (30) days of Business Associate’s discovery thereof. The Parties acknowledge and agree that this section requires notice by Business Associate.
a) Business Associate agrees to notify Covered EntityEntity of the ongoing occurrence of incidents that may constitute Security Incidents but that are trivial and do not result in unauthorized access, by facsimile or telephone, of any breach or suspected breach of its security related to areas, locations, systems, documents or electronic systems which contain unsecured PHI, including, without limitation, any Security Incident, instance of theft, fraud, deception, malfeasance, or use, access or disclosure of PHI which that is inconsistent with the terms of this Agreement (an "Incident") immediately upon having reason to suspect that an Incident may have occurredElectronic Protected Health Information, including pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, and typically prior to beginning the process denials of verifying that an Incident has occurred or determining the scope of any such Incidentservice, and regardless of the potential risk of harm posed by the Incident. Notice shall be provided to the Covered Entity’s representative designated in this Agreement. Upon discovery of a breach or suspected Incident, Business Associate shall take:
i. Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment; and
ii. Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations.
b) In the event of any such Incident, Business Associate shall further provide to Covered Entity, in writing, such details concerning the Incident as Covered Entity may request, and shall cooperate with Covered Entity, its regulators and law enforcement to assist in regaining possession of such unsecured PHI and prevent its further unauthorized use, and take any necessary remedial actions as may be required by Covered Entity to prevent other or further Incidents.
c) If Covered Entity determines that it may need to notify any Individual(s) as a result of such Incident that is attributable to Business Associate's breach of its obligations under this Agreement, Business Associate shall bear all reasonable direct and indirect costs associated with such determination including, without limitation, the costs associated with providing notification to the affected Individuals, providing fraud monitoring or other services to affected Individuals and any forensic analysis required to determine the scope of the Incident.
d) In addition, Business Associate agrees to update the for which no additional notice provided to Covered Entity under Section 12(a) of this Agreement of such Incident to include, to the extent possible and as soon as possible working in cooperation with Covered Entity, the identification of each Individual whose unsecured PHI has been, or is reasonably believed by Business Associate to have been accessed, acquired, used or disclosed during the Incident and any of the following information Covered Entity is required to include in its notice to the Individual pursuant to 45 C.F.R. §164.404(c):
i. A brief description of what happened, including the date of the Incident and the date of discovery of the Incident, if known;
ii. A description of the types of unsecured PHI that were involved in the Incident (e.g. Social Security number, full name, date of birth, address, diagnosis);
iii. Any steps the Individual should take to protect themselves from potential harm resulting from the Incident;
iv. A brief description of what is being done to investigate the Incident, mitigate the harm and protect against future Incidents; and
v. Contact procedures for Individuals to ask questions or learn additional information which shall include a toll-free number, an e-mail address, Web site, or postal address (provided, Subsection v is only applicable if Covered Entity specifically requests Business Associate to establish contact procedures)be required.
e) Such additional information must be submitted to Covered Entity immediately at the time the information becomes available to Business Associate.
f) If the cause of a breach of PHI is attributable to Business Associate or its agents, subcontractors or vendors, Business Associate is responsible for all required reporting of the breach as specified in 42 U.S.C. section 17932 and its implementing regulations, including, without limitation, notification to media outlets and to the Secretary of the Department of Health & Human Services. If a breach of unsecured PHI involves more than 500 residents of the State of California or its jurisdiction, Business Associate shall notify the Secretary of the breach immediately upon discovery of the breach. If Business Associate has reason to believe that duplicate reporting of the same breach or incident may occur because its subcontractors, agents or vendors may report the breach or incident to Covered Entity in addition to Business Associate, Business Associate shall notify Covered Entity, and Covered Entity and Business Associate may take appropriate action to prevent duplicate reporting.
Appears in 1 contract
Samples: Business Associate Agreement
Breach Notification. The AGO will comply with the notification provisions of the HIPAA Rules in the event of a Breach of Unsecured PHI. Any suspected Breach of Unsecured PHI by the AGO will be immediately reported to the Privacy Officer. The Privacy officer will promptly investigate and determine whether a Breach of Unsecured PHI has occurred. A Breach is presumed to have occurred if there is an unauthorized access, acquisition, or disclosure of Unsecured PHI unless the AGO can show that there is a low probability that the information was compromised based on a risk assessment of:
a. The nature and extent of the PHI involved;
b. The unauthorized person who used the PHI or to whom the Disclosure was made;
c. Whether the PHI was actually acquired or viewed; and
d. The extent to which the risk to the PHI has been mitigated. A Breach does not include any of the following:
a. An unintentional acquisition, access, or use of PHI by a workforce member or a person acting under the authority of a Covered Entity or Business Associate agrees if the acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in an impermissible manner;
b. Any inadvertent disclosure by someone who is authorized to implement response programs and record-keeping systems to enable access PHI at a Covered Entity or Business Associate to comply with another person authorized to access PHI at the requirements of this Section and 13402 of the HITECH Act same entity and the regulations implementing such provisions, currently Subpart D of Part 164 of Title 45 of the Code of Federal Regulations, when Business Associate detects or becomes aware of unauthorized access to information systems or documents that contain PHI. Business Associate agrees to mitigate any effects of the inappropriate use or disclosure of PHI by Business Associate.
a) Business Associate agrees to notify Covered Entity, by facsimile or telephone, of any breach or suspected breach of its security related to areas, locations, systems, documents or electronic systems which contain unsecured PHI, including, without limitation, any Security Incident, instance of theft, fraud, deception, malfeasance, or use, access or disclosure of PHI which is inconsistent with the terms of this Agreement (an "Incident") immediately upon having reason to suspect that an Incident may have occurred, and typically prior to beginning the process of verifying that an Incident has occurred or determining the scope of any such Incident, and regardless of the potential risk of harm posed by the Incident. Notice shall be provided to the Covered Entity’s representative designated in this Agreement. Upon discovery of a breach or suspected Incident, Business Associate shall take:
i. Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment; and
ii. Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations.
b) In the event of any such Incident, Business Associate shall further provide to Covered Entity, in writing, such details concerning the Incident as Covered Entity may request, and shall cooperate with Covered Entity, its regulators and law enforcement to assist in regaining possession of such unsecured PHI and prevent its further unauthorized use, and take any necessary remedial actions as may be required by Covered Entity to prevent other or further Incidents.
c) If Covered Entity determines that it may need to notify any Individual(s) received as a result of such Incident that the disclosure is attributable to Business Associate's breach of its obligations under this Agreement, Business Associate shall bear all reasonable direct and indirect costs associated with such determination including, without limitation, the costs associated with providing notification to the affected Individuals, providing fraud monitoring or other services to affected Individuals and any forensic analysis required to determine the scope of the Incident.
d) In addition, Business Associate agrees to update the notice provided to Covered Entity under Section 12(a) of this Agreement of such Incident to include, to the extent possible and as soon as possible working in cooperation with Covered Entity, the identification of each Individual whose unsecured PHI has been, or is reasonably believed by Business Associate to have been accessed, acquired, not further used or disclosed during in an impermissible manner;
c. A disclosure of PHI where a Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the Incident and any disclosure was made would not reasonably have been able to retain such information. If the Privacy Officer determines that the AGO has experienced a Breach of Unsecured PHI, he will notify the Covered Entity whose PHI is affected by the Breach within 60 days after the Breach was discovered, unless a law enforcement official asks the AGO not to report the Breach under 45 C.F.R. §164.412. A Breach is discovered when the AGO knows of the Breach or, by exercising reasonable diligence, an individual who is an employee, officer, or agent of the AGO would have known about the breach. The AGO will provide the Covered Entity with the following information Covered Entity is required to include in its notice to regarding the Individual pursuant to 45 C.F.R. §164.404(c):Breach:
i. a. The identity of the individual(s) whose Unsecured PHI was improperly accessed, used, or disclosed;
b. A brief description of what happened, including the date of the Incident Breach and the date of discovery of the IncidentBreach, if known;
ii. c. A description of the types of unsecured Unsecured PHI that were involved in the Incident Breach (e.g. Social Security numbere.g., full name, date of birthSSN, addressdiagnosis code, diagnosisetc.);
iii. d. Any steps the Individual individuals should take to protect themselves from potential harm resulting from the IncidentBreach;
iv. e. A brief description of what the AGO is being done doing to investigate the IncidentBreach, mitigate the harm to individuals, and protect against future Incidentsfurther Breaches; and
v. f. Contact procedures for Individuals individuals to ask questions or learn additional information which shall will include a toll-free telephone number, an e-mail email address, Web sitewebsite, or postal address (provided, Subsection v is only applicable if Covered Entity specifically requests Business Associate to establish contact procedures)address.
e) Such additional information must be submitted to Covered Entity immediately at the time the information becomes available to Business Associate.
f) If the cause of a breach of PHI is attributable to Business Associate or its agents, subcontractors or vendors, Business Associate is responsible for all required reporting of the breach as specified in 42 U.S.C. section 17932 and its implementing regulations, including, without limitation, notification to media outlets and to the Secretary of the Department of Health & Human Services. If a breach of unsecured PHI involves more than 500 residents of the State of California or its jurisdiction, Business Associate shall notify the Secretary of the breach immediately upon discovery of the breach. If Business Associate has reason to believe that duplicate reporting of the same breach or incident may occur because its subcontractors, agents or vendors may report the breach or incident to Covered Entity in addition to Business Associate, Business Associate shall notify Covered Entity, and Covered Entity and Business Associate may take appropriate action to prevent duplicate reporting.
Appears in 1 contract
Samples: Consulting Agreement
Breach Notification. Business Associate agrees to implement response programs and record-keeping systems to enable Business Associate to comply with the requirements of this Section and 13402 of the HITECH Act and the regulations implementing such provisionsshall, currently Subpart D of Part 164 of Title 45 of the Code of Federal Regulations, when Business Associate detects or becomes aware of unauthorized access to information systems or documents that contain PHI. Business Associate agrees to mitigate any effects of the inappropriate use or disclosure of PHI by Business Associate.
a) Business Associate agrees to notify Covered Entity, by facsimile or telephone, of any breach or suspected breach of its security related to areas, locations, systems, documents or electronic systems which contain unsecured PHI, including, without limitation, any Security Incident, instance of theft, fraud, deception, malfeasance, or use, access or disclosure of PHI which is inconsistent with the terms of this Agreement (an "Incident") immediately upon having reason to suspect that an Incident may have occurred, and typically prior to beginning the process of verifying that an Incident has occurred or determining the scope of any such Incident, and regardless of the potential risk of harm posed by the Incident. Notice shall be provided to the Covered Entity’s representative designated in this Agreement. Upon discovery of a breach or suspected Incident, Business Associate shall take:
i. Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment; and
ii. Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations.
b) In the event of any such Incident, Business Associate shall further provide to Covered Entity, in writing, such details concerning the Incident as Covered Entity may request, and shall cooperate with Covered Entity, its regulators and law enforcement to assist in regaining possession of such unsecured PHI and prevent its further unauthorized use, and take any necessary remedial actions as may be required by Covered Entity to prevent other or further Incidents.
c) If extent Covered Entity determines that it may need to notify any Individual(s) as there has been a result Breach of such Incident that is attributable to Unsecured Protected Health Information, provide Breach notification for each and every Breach of Unsecured Protected Health Information by Business Associate's breach of , its employees, representatives, agents or subcontractors, in a manner that permits Covered Entity to comply with its obligations under this AgreementSubpart D, Business Associate shall bear all reasonable direct and indirect costs associated with such determination includingNotification in the Case of Breach of Unsecured PHI, without limitation, the costs associated with providing notification to the affected Individuals, providing fraud monitoring or other services to affected Individuals and any forensic analysis required to determine the scope of the Incident.Privacy and Security Regulations, including:
d(a) In addition, Business Associate agrees to update the notice provided to Covered Entity under Section 12(a) of this Agreement of such Incident to include, to the extent possible and as soon as possible working in cooperation with Covered Entity, the identification of Notifying each Individual whose unsecured PHI Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been been, accessed, acquired, used Used, or disclosed during the Incident and any Disclosed as a result of the following information Covered Entity is such Breach;
(b) The notification required to include in its notice by paragraph (a) of this Section 2.6 shall include, to the Individual pursuant to 45 C.F.R. §164.404(c):extent possible:
i. (i) A brief description of what happened, including the date of the Incident Breach and the date of the discovery of the IncidentBreach, if known;
(ii. ) A description of the types of unsecured PHI Unsecured Protected Health Information that were involved in the Incident Breach (e.g. Social Security number, such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(iii. ) Any steps the Individual should take to protect themselves him or herself from potential harm resulting from the IncidentBreach;
(iv. ) A brief description of what Business Associate is being done doing to investigate the IncidentBreach, to mitigate the harm to individuals, and to protect against future Incidentsany further Breaches; and
v. (v) Contact procedures for Individuals Individual(s) to ask questions or learn additional information information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address (provided, Subsection v is only applicable if Covered Entity specifically requests Business Associate to establish contact procedures)address.
e(vi) Such additional information must The notification required by paragraph (a) of this section shall be submitted written in plain language. Covered Entity, in its sole discretion, may elect to Covered Entity immediately at provide the time the information becomes available to Business Associate.
f) If the cause of a breach of PHI is attributable to Business Associate or its agentsnotification required by this Section 2.6, subcontractors or vendors, Business Associate is responsible for all required reporting of the breach as specified in 42 U.S.C. section 17932 and its implementing regulations, including, without limitation, notification to media outlets and to the Secretary of the Department of Health & Human Services. If a breach of unsecured PHI involves more than 500 residents of the State of California or its jurisdiction, Business Associate shall notify the Secretary of the breach immediately upon discovery of the breach. If Business Associate has reason to believe that duplicate reporting of the same breach or incident may occur because its subcontractors, agents or vendors may report the breach or incident to reimburse Covered Entity in addition to Business Associate, Business Associate shall notify any and all costs incurred by Covered Entity, and Covered Entity and including costs of notification, internet posting, or media publication, as a result of Business Associate may take appropriate action to prevent duplicate reportingAssociate's Breach of Unsecured Protected Health Information.
Appears in 1 contract
