Common use of Breach of Unsecured PHI Clause in Contracts

Breach of Unsecured PHI. Business Associate shall, following the discovery of an actual or suspected Breach of Unsecured Protected Health Information, provide written notice of the Breach (“BA Notice”) to the applicable LIBERTY Entity(ies) within one (1) business day of discovering the Breach. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate or, by exercising reasonable due diligence, would have been known to Business Associate. Business Associate shall be deemed to have knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is a Representative of Business Associate. The BA Notice shall include the following information: (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used or disclosed during the Breach, (ii) a brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, who or what caused the Breach, and who received the PHI, (iii) a description of the types of Unsecured Protected Health Information involved in the Breach, (iv) a description of the action Business Associate took and/or will take to mitigate any deleterious effect of the Breach and a description of the corrective action Business Associate took and/or will take to prevent further Breaches; and (v) any other relevant information. Business Associate shall further provide to LIBERTY any other available information that LIBERTY requests. Upon providing the BA Notice to LIBERTY, Business Associate shall fully cooperate with LIBERTY to enable LIBERTY to confirm whether a Breach occurred and to conduct a risk assessment. If it is determined that a Breach occurred, Business Associate shall fully cooperate with LIBERTY with respect to providing any notification of the Breach as required by the HITECH Act and taking all additional actions as may be required to comply with the HITECH Act. Business Associate shall maintain any and all documentation related to the Breach including, without limitation, any documentation necessary to demonstrate that all notifications were made as required by 45 CFR § 164.410 or that the use or disclosure did not constitute a Breach.

Breach of Unsecured PHI. Business Associate shallBroker shall report to Principal Underwriter without unreasonable delay any acquisition, following the discovery of an actual access, use or suspected Breach disclosure of Unsecured Protected Health Information, provide written notice Information not permitted by this Agreement at Sales Agreement – 7-19 NY the following e-mail address: xxxxxxxxxxxxxx@xxxxxxxxxxxxxxxxxxxx.xxx. In no case shall such notification occur later than two (2) calendar days of Broker’s discovery of the Breach (“BA Notice”) impermissible acquisition, access, use or disclosure of Unsecured PHI. Discovery will be deemed to occur on the applicable LIBERTY Entity(ies) within one (1) business day of discovering the Breach. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate date that Broker actually became aware or, by exercising reasonable due diligence, would diligence should have been known to Business Associateaware, of the impermissible acquisition, access, use or disclosure of Unsecured PHI. Business Associate shall be deemed to have knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is a Representative of Business Associate. The BA Notice Such notification shall include an assessment of whether the following information: incident constitutes a “Breach” under 45 CFR § 164.402. (i) To the extent such assessment concludes that a Breach has occurred, or as requested by Principal Underwriter, such notification shall also include, to the extent possible, the identification of each individual Individual whose Unsecured PHI has been, been or is reasonably believed by Business Associate to have been, been accessed, acquired, used or disclosed during the Breachincident and any other information that the Principal Underwriter or its Affiliates will be required to include in its notification to the Individual, the media and/or the Secretary, as applicable, including, without limitation, (ii) a brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, who or what caused the Breach, and who received the PHI, (iiiA) a description of the incident, (B) the date of the incident and the date of its discovery, (C) the types of Unsecured Protected Health Information involved in the Breachinvolved, and (ivD) a description of Broker’s investigation, mitigation, and prevention efforts. (ii) In the action Business Associate took event of any such Breach, Broker shall also: fully cooperate with Principal Underwriter and its Affiliates in connection with the investigation of such Breach; not make any public announcements or notifications to any government authority, potentially affected Individual or entity, or other third party without Principal Underwriter’s prior written approval; take all necessary and appropriate corrective action, including (without limitation, at the request of Principal Underwriter, and at the expense of Broker): (A) providing notice to all persons whose PHI may have been affected by such Breach, whether or not such notice is required by Applicable Law, (B) establishing a toll-free telephone number where affected Individuals may receive information, and (C) providing credit monitoring/repair and/or will take to mitigate any deleterious effect identity restoration/insurance for affected Individuals for one year following the announcement or disclosure of the Breach and or following notice to the affected Individuals, whichever is later. If a description longer period is requested or required by Applicable Law or the demand or request of the corrective action Business Associate took and/or will take to prevent further Breaches; and any government authority, such services shall be provided for at least that long. (viii) Notwithstanding any other relevant information. Business Associate clause hereof, Broker shall further provide indemnify, hold harmless, and reimburse Principal Underwriter and its Affiliates from all claims, losses, and expenses caused by any such Breach and for all reasonable fees and costs Principal Underwriter and its Affiliates may incur in connection with investigation, remediation, reporting, and notification efforts, including but not limited to, retaining a computer forensics experts, providing credit monitoring and identity theft services to LIBERTY any other available information that LIBERTY requests. Upon providing the BA Notice to LIBERTYaffected individuals, Business Associate shall fully cooperate with LIBERTY to enable LIBERTY to confirm whether a Breach occurred and to conduct a risk assessment. If it is determined that a Breach occurred, Business Associate shall fully cooperate with LIBERTY with respect to providing any notification of the Breach as required by the HITECH Act and taking all additional actions as may be required to comply with the HITECH Act. Business Associate shall maintain any and all documentation related responding to the Breach including(e.g., without limitation, any documentation necessary costs of notification to demonstrate that all notifications were made as required by 45 CFR § 164.410 or that the use or disclosure did not constitute a Breachaffected individuals and government agencies).

Breach of Unsecured PHI. If a breach of Unsecured PHI, is caused by (or attributable to) the Business Associate shalland/or its agents or subcontractors, must notify Plan following the discovery of an actual or suspected Breach of Unsecured Protected Health Informationthe breach without unreasonable delay and, provide written notice in all cases, no later than two (2) business days from the discovery of the Breach (“BA Notice”) HIPAA breach. The Business Associate shall provide the Plan with all information required by 45 C.F.R. § 164.410 that the Business Associate has or may obtain without unreasonable difficulty. The Business Associate will provide such information to the applicable LIBERTY Entity(iesPlan in the manner required by the HIPAA Regulations. The Business Associate’s report shall include but is not limited to the following: (i) within one Identify the nature of the non-permitted use or disclosure including how such use or disclosure was made; (1ii) business day Identify Plan’s PHI used or disclosed; (iii) Identify who received the non-permitted disclosure; (iv) Identify what corrective action the Business Associate took or will take to prevent further non-permitted uses or disclosures; (v) Identify what the Business Associate did and/or will do to mitigate any deleterious effect resulting from the non-permitted use or disclosure; and (vi) Provide such other information, including a written report, as Plan may reasonably request. The Business Associate will reimburse the Plan for all reasonable expenses Plan incurs to notify individuals of discovering any breach experienced by the BreachBusiness Associate or the Business Associate’s subcontractors, and for all reasonable expenses that the Plan incurs (or will incur) in mitigating harm to Individuals as well as to the Plan. A Breach Breaches shall be treated as discovered by in accordance with the terms of the HIPAA Rule. This subsection shall survive the expiration or termination of this Agreement and shall remain in effect for at least one (1) year after the Business Associate as (or its subcontractors or agents) has ceased to maintain any of the first day on which such Breach is known to Business Associate or, by exercising reasonable due diligence, would have been known to Business Associate. Business Associate shall be deemed to have knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is a Representative of Business Associate. The BA Notice shall include the following information: (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used or disclosed during the Breach, (ii) a brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, who or what caused the Breach, and who received the Plan’s PHI, (iii) a description of the types of Unsecured Protected Health Information involved in the Breach, (iv) a description of the action Business Associate took and/or will take to mitigate any deleterious effect of the Breach and a description of the corrective action Business Associate took and/or will take to prevent further Breaches; and (v) any other relevant information. Business Associate shall further provide to LIBERTY any other available information that LIBERTY requests. Upon providing the BA Notice to LIBERTY, Business Associate shall fully cooperate with LIBERTY to enable LIBERTY to confirm whether a Breach occurred and to conduct a risk assessment. If it is determined that a Breach occurred, Business Associate shall fully cooperate with LIBERTY with respect to providing any notification of the Breach as required by the HITECH Act and taking all additional actions as may be required to comply with the HITECH Act. Business Associate shall maintain any and all documentation related to the Breach including, without limitation, any documentation necessary to demonstrate that all notifications were made as required by 45 CFR § 164.410 or that the use or disclosure did not constitute a Breach.

Breach of Unsecured PHI. Business Associate shallshall investigate each unauthorized access, following the discovery acquisition, Use, or Disclosure of an actual Covered Entity’s PHI that it discovers to determine whether such unauthorized access, acquisition, Use, or suspected Disclosure constitutes a reportable Breach of Unsecured Protected Health Information, provide written notice of the Breach (“BA Notice”) to the applicable LIBERTY Entity(ies) within one (1) business day of discovering the BreachPHI. A Breach shall be treated as discovered by If Business Associate as determines that a reportable Breach of the first day on which such Breach is known to Business Associate orUnsecured PHI has occurred, by exercising reasonable due diligence, would have been known to Business Associate. Business Associate shall be deemed to have knowledge notify Covered Entity of a such Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person, other in writing without unreasonable delay but no later than the person committing the Breach, who is a Representative of Business Associate. The BA Notice shall include the following information: three (i3) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used or disclosed during the Breach, (ii) a brief description of what happened, including the date of the Breach and the date of the calendar days after discovery of the Breach, who or what caused the Breach, and who received the PHI, (iii) a description of the types of Unsecured Protected Health Information involved in the Breach, (iv) a description of the action Business Associate took and/or will take to mitigate any deleterious effect of the Breach and a description of the corrective action Business Associate took and/or will take to prevent further Breaches; and (v) any other relevant informationaccordance with 45 C.F.R. §164.410(c). Business Associate shall further provide to LIBERTY any other available information that LIBERTY requests. Upon providing the BA Notice to LIBERTY, Business Associate shall fully cooperate with LIBERTY to enable LIBERTY to confirm whether a Breach occurred and to conduct a risk assessment. If it is determined that a Breach occurred, Business Associate shall fully cooperate with LIBERTY Covered Entity in meeting Covered Entity’s obligations under the HITECH Act with respect to such Breach. Covered Entity shall have sole control over the timing and method of providing any notification of such Breach to the Breach affected individual(s), the Secretary and, if applicable, the media, as required by the HITECH Act and taking all additional actions as may be required to comply with the HITECH Act. Business Associate shall maintain reimburse Covered Entity for its reasonable costs and expenses in providing the notification, including, but not limited to, any administrative costs associated with providing notice, printing and all documentation related mailing costs, and costs of mitigating the harm (which may include the costs of obtaining credit monitoring services and identity theft insurance) for affected individuals whose PHI has or may have been compromised as a result of the Breach. Availability of Internal Practices, Books, and Records to Government. Business Associate agrees to make its internal practices, books and records relating to the Breach includingUse and Disclosure of PHI received from, without limitationor created or received by the Business Associate on behalf of Covered Entity available to the Secretary for purposes of determining Covered Entity’s compliance with HIPAA, any the HIPAA Regulations, and the HITECH Act. Except to the extent prohibited by law, Business Associate shall notify Covered Entity of all requests served upon Business Associate for information or documentation necessary by or on behalf of the Secretary. Access to demonstrate and Amendment of Protected Health Information. To the extent that all notifications were made Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business Associate shall make the PHI it maintains (or which is maintained by its Subcontractors) in Designated Record Sets available to Covered Entity for inspection and copying or, as required directed by Covered Entity, to an individual, within fifteen (15) days of a request by Covered Entity, to enable Covered Entity to fulfill its obligations under 45 CFR C.F.R. § 164.410 or that 164.524. If Business Associate maintains PHI in a Designated Record Set electronically, Business Associate shall provide such information in the use or disclosure did not constitute a Breach.electronic form and format requested by the Covered Entity if it is readily reproducible in such form and format, and, if not, in such other form and format agreed to by

Breach of Unsecured PHI. Business Associate shallBroker shall report to Brighthouse without unreasonable delay any acquisition, following the discovery of an actual access, use or suspected Breach disclosure of Unsecured Protected Health Information, provide written notice Information not permitted by this Agreement. In no case shall such notification occur later than two (2) calendar days of Broker’s discovery of the Breach (“BA Notice”) impermissible acquisition, access, use or disclosure of Unsecured PHI. Discovery will be deemed to occur on the applicable LIBERTY Entity(ies) within one (1) business day of discovering the Breach. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate date that Broker actually became aware or, by exercising reasonable due diligence, would diligence should have been known to Business Associateaware, of the impermissible acquisition, access, use or disclosure of Unsecured PHI. Business Associate shall be deemed to have knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is a Representative of Business Associate. The BA Notice Such notification shall include an assessment of whether the following information: incident constitutes a “Breach” under 45 CFR § 164.402. (i) To the extent such assessment concludes that a Breach has occurred, or as requested by Brighthouse, such notification shall also include, to the extent possible, the identification of each individual Individual whose Unsecured PHI has been, been or is reasonably believed by Business Associate to have been, been accessed, acquired, used or disclosed during the Breachincident and any other information that the Brighthouse will be required to include in its notification to the Individual, the media and/or the Secretary, as applicable, including, without limitation, (ii) a brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, who or what caused the Breach, and who received the PHI, (iiiA) a description of the incident, (B) the date of the incident and the date of its discovery, (C) the types of Unsecured Protected Health Information involved in the Breachinvolved, and (ivD) a description of Broker’s investigation, mitigation, and prevention efforts. (ii) In the action Business Associate took event of any such Breach, Broker shall also: fully cooperate with Brighthouse in connection with the investigation of such Breach; not make any public announcements or notifications to any government authority, potentially affected Individual or entity, or other third party without Brighthouse’s prior written approval; take all necessary and appropriate corrective action, including (without limitation, at the request of Brighthouse, and at the expense of Broker): (A) providing notice to all persons whose PHI may have been affected by such Breach, whether or not such notice is required by Applicable Law, (B) establishing a toll‐free telephone number where affected Individuals may receive information, and (C) providing credit monitoring/repair and/or will take to mitigate any deleterious effect identity restoration/insurance for affected Individuals for one year following the announcement or disclosure of the Breach and or following notice to the affected Individuals, whichever is later. If a description longer period is requested or required by Applicable Law or the demand or request of the corrective action Business Associate took and/or will take to prevent further Breaches; and any government authority, such services shall be provided for at least that long. (viii) Notwithstanding any other relevant information. Business Associate clause hereof, Broker shall further provide indemnify, hold harmless, and reimburse Brighthouse from all claims, losses, and expenses caused by any such Breach and for all reasonable fees and costs Brighthouse may incur in connection with investigation, remediation, reporting, and notification efforts, including but not limited to, retaining a computer forensics experts, providing credit monitoring and identity theft services to LIBERTY any other available information that LIBERTY requests. Upon providing the BA Notice to LIBERTYaffected individuals, Business Associate shall fully cooperate with LIBERTY to enable LIBERTY to confirm whether a Breach occurred and to conduct a risk assessment. If it is determined that a Breach occurred, Business Associate shall fully cooperate with LIBERTY with respect to providing any notification of the Breach as required by the HITECH Act and taking all additional actions as may be required to comply with the HITECH Act. Business Associate shall maintain any and all documentation related responding to the Breach including(e.g., without limitation, any documentation necessary costs of notification to demonstrate that all notifications were made as required by 45 CFR § 164.410 or that the use or disclosure did not constitute a Breachaffected individuals and government agencies).

Breach of Unsecured PHI. Business Associate shall, following the discovery of an actual or will report to Covered Entity any suspected Breach of Unsecured Protected Health InformationPHI by Business Associate or any of its officers, provide written directors, employees, Subcontractors or agents. [GPM Note: if CE wants breach notification to go to someone at CE who is not the official designated to receive general notice of the Breach under this BAA (“BA Notice”) i.e., if CE wants notice to go to its Privacy Officer but less pressing contract issues to go to the applicable LIBERTY Entity(iescontracting department), CE can designate a specific contact to receive breach notification from BA. Otherwise notice can go to the general notice point for contracting issues]. [Option A] [All notifications of Breach of Unsecured PHI will be made by Business Associate to ________________ at Covered Entity.] [Option B] All notifications of Breach of Unsecured PHI will be made by Business Associate to the Covered Entity official designated in Section VIII(c) within of this Agreement] All notifications required under this Section will be made by Business Associate without unreasonable delay and in no event later than [one (1) business day day] [two (2) days] of discovering the Breachdiscovery. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate or[GPM Note: if CE will do breach analysis itself, by exercising reasonable due diligence, would have been known to Business AssociateCE should require very short notice period so that it can begin analysis quickly]. Business Associate will use the standard at 45 C.F.R. § 164.410(a) to determine when the suspected Breach is treated as discovered. Covered Entity shall be deemed have discretion to have knowledge determine whether a suspected Breach has given rise to a Breach. Business Associate will cooperate with Covered Entity and provide such information as Covered Entity reasonably requires in making this determination. In notifying Covered Entity of a Breach if the Breach is knownsuspected Breach, or by exercising reasonable diligence would have been knownBusiness Associate will provide, to any personthe extent reasonably possible, other than as much of the person committing the information it has that would be required in notifying a Covered Entity of a Breach, who under 45 C.F.R. § 164.410. If Covered Entity determines that a Breach has occurred, Business Associate will provide any other available information that Covered Entity is required to include in its notification to individuals pursuant to 45 C.F.R. § 164.404(c). In the event Covered Entity determines a Representative Breach has occurred that was caused by the acts or omissions of Business Associate. The , its Subcontractors, officers, directors, employees or agents, Business Associate will cooperate with Covered Entity to notify, [GPM Note: CE should consider whether to require BA Notice shall include the following information: to cover costs of notification due to a breach caused by BA] [at Business Associate’s expense], (i) the identification of each individual individuals whose Unsecured PHI has been, or is reasonably believed by Business Associate Covered Entity to have been, accessed, acquired, used or disclosed during the Breachdisclosed, and (ii) the media, as required pursuant to 45 C.F.R. § 164.406, if the legal requirements for media notification are triggered by the circumstances of such Breach. [GPM Note: following sentence relates to whether CE wants BA to be responsible for costs of notification. If not, this sentence can be deleted] [Business Associate will indemnify Covered Entity for any reasonable expenses Covered Entity incurs in notifying individuals, the media and related expenses arising from a brief description Breach, or costs of what happenedmitigation related thereto, including caused by Business Associate or its officers, directors, employees, Subcontractors or agents.] Business Associate will cooperate in Covered Entity’s Breach analysis process and procedures, if requested. Covered Entity will at all times have the date final decision about the content of any notification required to be given under the Regulations. Access. In the event an Individual requests access to PHI in a Designated Record Set from Business Associate, Business Associate will provide Covered Entity with notice of the Breach and the date of the discovery of the Breach, who or what caused the Breach, and who received the PHI, same within [two (iii) a description of the types of Unsecured Protected Health Information involved in the Breach, 2)] [three (iv) a description of the action Business Associate took and/or will take to mitigate any deleterious effect of the Breach and a description of the corrective action Business Associate took and/or will take to prevent further Breaches; and 3)] [five (v) any other relevant information5)] days. Business Associate shall further will provide access, within [two (2)] [three (3)] [five (5)] days of a request of Covered Entity and in the manner designated by Covered Entity, to LIBERTY any other available information PHI in a Designated Record Set to Covered Entity, or, as directed by Covered Entity, to an Individual or the Individual’s designee in order to meet the requirements under 45 C.F.R. § 164.524 (Access). If the PHI that LIBERTY requests. Upon providing is the BA Notice to LIBERTYsubject of a request is maintained by the Business Associate in a Designated Record Set electronically, Business Associate shall fully cooperate with LIBERTY will provide an electronic copy of such information to enable LIBERTY the Covered Entity, or, as directed by the Covered Entity, to confirm whether a Breach occurred and to conduct a risk assessment. If it is determined that a Breach occurredthe Individual or the Individual’s designee, Business Associate shall fully cooperate with LIBERTY with respect to providing any notification of in the Breach as format required by the HITECH Act Regulations and taking all additional actions as may be required directed by Covered Entity, in order to comply with meet the HITECH ActCovered Entity’s obligations under 45 C.F.R. § 164.524. Access. Business Associate shall maintain any and all documentation related to the Breach including, without limitation, any documentation will make available PHI in a Designated Record Set as necessary to demonstrate that all notifications were made as required by satisfy Covered Entity obligations under 45 CFR C.F.R. § 164.410 or that the use or disclosure did not constitute a Breach164.524 (access).