Common use of Data Breach Notification and Mitigation Clause in Contracts

Data Breach Notification and Mitigation. Business Associate agrees to promptly notify Covered Entity of any “Breach” of “Unsecured PHI” as those terms are defined by 45 C.F.R. §164.402 (hereinafter a “Data Breach”). The Parties acknowledge and agree that 45 C.F.R. §164.404, as described below in this Section, governs the determination of the date of a Data Breach. Business Associate shall, following the discovery of a Data Breach, promptly notify Covered Entity and in no event later than five (5) calendar days after Business Associate discovers such Data Breach, unless Business Associate is prevented from doing so by 45 C.F.R. §164.412 concerning law enforcement investigations. For purposes of reporting a Data Breach to Covered Entity, the discovery of a Data Breach shall occur as of the first day on which such Data Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate shall be considered to have had knowledge of a Data Breach if the Data Breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the Data Breach) who is an employee, officer or other agent of Business Associate. No later than five (5) calendar days following a Data Breach, Business Associate shall provide Covered Entity with sufficient information to permit Covered Entity to comply with the Data Breach notification requirements set forth at 45 C.F.R. §164.400 et seq. Specifically, if the following information is known to (or can be reasonably obtained by) Business Associate, Business Associate shall provide Covered Entity with: (i) contact information for Individuals who were or who may have been impacted by the Data Breach (e.g., first and last name, mailing address, street address, phone number, email address); (ii) a brief description of the circumstances of the Data Breach, including the date of the Data Breach, date of discovery, and number of Individuals affected by the Data Breach; (iii) a description of the types of unsecured PHI involved in the Data Breach (e.g., names, social security number, date of birth, address(es), account numbers of any type, disability codes, diagnosis and/or billing codes and similar information); (iv) a brief description of what the Business Associate has done or is doing to investigate the Data Breach, mitigate harm to the Individual impacted by the Data Breach, and protect against future Data Breaches; and (v) appoint a liaison and provide contact information for same so that the Covered Entity may ask questions and/or learn additional information concerning the Data Breach. Following a Data Breach, Business Associate shall have a continuing duty to inform Covered Entity of new information learned by Business Associate regarding the Data Breach, including but not limited to the information described in the items above.

Data Breach Notification and Mitigation. Business Associate agrees to promptly notify Covered Entity of any “Breachbreach” of “Unsecured unsecured PHI” as those terms are defined by 45 C.F.R. §164.402 HIPAA (hereinafter a “Data Breach”). The Parties acknowledge and agree that 45 C.F.R. §164.404, as described below in this Section, governs the determination of the date of a Data Breach. Business Associate shall, following the discovery of a Data Breach, promptly notify Covered Entity and in no event later than five three (53) calendar days after Business Associate discovers such Data Breach, unless Business Associate is prevented from doing so by 45 C.F.R. §164.412 HIPAA concerning law enforcement investigations. Such information shall include a brief description of the circumstances of the Data Breach, including the date of the Data Breach, date of discovery, and estimated number of individuals affected by the Data Breach. For purposes of reporting a Data Breach to Covered Entity, the discovery of a Data Breach shall occur as of the first day on which such Data Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate shall be considered to have had knowledge of a Data Breach if the Data Breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the Data Breach) who is an employee, officer or other agent of Business Associate. No later than five seven (57) calendar days following a the Data Breach, Business Associate shall provide Covered Entity with sufficient information to permit Covered Entity to comply with the Data Breach notification requirements set forth at 45 C.F.R. §164.400 et seqin HIPAA. Specifically, if the following such information is known shall include but not be limited to (or can be reasonably obtained by) Business Associate’s risk assessment which conforms to the requirements of HIPAA, Business Associate and shall provide Covered Entity withinclude: (i) the nature and extent of the PHI involved (e.g., names, social security number, date of birth, address(es), account numbers of any type, disability codes, diagnosis and/or billing codes and similar information), and the likelihood of re-identification; (ii) contact information for Individuals all individuals who were or who may have been impacted by the Data Breach (e.g., first and last name, mailing address, street address, phone number, email address); (iiiii) a brief detailed description of the circumstances of the Data Breach, including the date of the Data Breach, date of discovery, and number of Individuals individuals affected by the Data Breach; (iiiiv) a description the identity of the types of unsecured unauthorized person who used the PHI involved in or to whom the disclosure was made; (v) whether the PHI was actually acquired or viewed by the unauthorized person; (vi) the probability that the impermissible use or disclosure did or did not compromise PHI; (vii) what Business Associate has done to mitigate harm to the individuals impacted by the Data Breach (e.g., names, social security number, date of birth, address(es), account numbers of any type, disability codes, diagnosis and/or billing codes and similar information)Breach; (ivviii) a brief description of what the Business Associate has done or is doing to investigate the Data Breach, mitigate harm to the Individual impacted by the Data Breach, and protect against future Data Breaches; and (v) appoint a liaison and provide contact information for same so that the Covered Entity may ask questions and/or learn additional information concerning the Data Breach. Following a Data Breach, Business Associate shall have a continuing duty to inform Covered Entity of new information learned by Business Associate regarding the Data Breach, including but not limited to the information described in the items above.and