Common use of Breach or Other Improper Access, Use or Disclosure Reporting Clause in Contracts

Breach or Other Improper Access, Use or Disclosure Reporting. The Business Associate must report to the Covered Entity, in writing, any access, use or disclosure of protected health information not permitted by the Contract, Addendum or HIPAA Regulations by Business Associate or its agents or subcontractors. The Covered Entity must be notified immediately upon discovery or the first day such breach or suspected breach is known to the Business Associate or by exercising reasonable diligence would have been known by the Business Associate in accordance with HIPAA Regulations. In the event of a breach or suspected breach of protected health information, the report to the Covered Entity must be in writing and include the following: a brief description of the incident; the date of the incident; the date the incident was discovered by the Business Associate; a thorough description of the unsecured protected health information that was involved in the incident; the number of individuals whose protected health information was involved in the incident; and the steps the Business Associate or its agent or subcontractor is taking to investigate the incident and to protect against further incidents. The Covered Entity will determine if a breach of unsecured protected health information has occurred and will notify the Business Associate of the determination. If a breach of unsecured protected health information is determined, the Business Associate must take prompt corrective action to cure any such deficiencies and mitigate any significant harm that may have occurred to individual(s) whose information was disclosed inappropriately.

Breach or Other Improper Access, Use or Disclosure Reporting. The Business Associate must report to the Covered Entity, in writing, any access, use or disclosure of protected health information not permitted by the Contract, Addendum or HIPAA Regulations Regulations, by the Business Associate or its agents or subcontractors. The Covered Entity must be notified immediately upon discovery discovery, or the first day such breach or suspected breach is known to the Business Associate Associate, or by exercising reasonable diligence would have been known by the Business Associate Associate, in accordance with HIPAA Regulations. In the event of a breach or suspected breach of protected health information, the report to the Covered Entity must be in writing and include the following: a brief description of the incident; the date of the incident; the date the incident was discovered by the Business Associate; a thorough description of the unsecured protected health information that was involved in the incident; the number of individuals whose protected health information was involved in the incident; and the steps the Business Associate or its agent or subcontractor is taking to investigate the incident and to protect against further incidents. The Covered Entity will determine if a breach of unsecured protected health information has occurred and will notify the Business Associate of the determination. If a breach of unsecured protected health information is determined, the Business Associate must take prompt corrective action to cure any such deficiencies and mitigate any significant harm that may have occurred to individual(s) whose information was disclosed inappropriately.