Common use of Complete Report Clause in Contracts

Complete Report. To provide a complete report of the investigation to the CCHCS Program Contract Manager, the CCHCS Privacy Officer, and the CCHCS information Security Officer within ten (10) working days of the discovery of the breach or unauthorized use or disclosure. If all the required information was not included in either the initial report or the Investigation Report, then a separate Complete Report must be submitted. The report shall be submitted on the CCHCS Information Security Incident Report form and shall include an assessment of all known factors relevant to a determination of whether a breach occurred under applicable provisions of HIPAA, the HITECH Act, the HIPAA regulations and/or state law. The report shall also include a full, detailed corrective action plan, including information on measures that were taken to halt and/or contain the improper use or disclosure. If CCHCS request information in addition to that listed on the CCHCS Information Security Incident Report form, Business Associate shall make reasonable efforts to provide CCHCS with such information. If necessary, a Supplemental Report may be used to submit revised or additional information after the completed report is submitted, by submitting the revised or additional information on an updated “CCHCS Information Security Incident Report” form. CCHCS will review and approve or disapprove the determination of whether a breach occurred, is reportable to the appropriate entities, if individual notifications are required, and the corrective action plan. De-identification of Individuals. If the cause of a breach of PHI or PII is attributable to Business Associate or its subcontractors, agents or vendors, Business Associate shall notify individuals of the breach or unauthorized use disclosure when notification is required under state or federal law and shall pay any costs of such notifications, as well as any cost associated with the breach. The notifications shall comply with requirements set forth in 42 O.S.C. section 17932 and implementing regulations, including, but not limited to, the requirement that the notifications be made without unreasonable delay and in no event later than 60 calendar days. The CCHCS Program Contract Manager, the CCHCS Privacy Officer, and the CCHCS Information Security Officer shall approve the time, manner and content of any such notifications and their review and approval must be obtained before the notifications are made.