Common use of Data Breach Notification and Obligations Clause in Contracts

Data Breach Notification and Obligations. 10.1 The Data Breach or potential compromise of Data shared under this Contract must be reported to the HCA Privacy Officer at XxxxxxxXxxxxxx@xxx.xx.xxx within one (1) business day of discovery. 10.2 If the Data Breach or potential compromise of Data includes PHI, and the Contractor does not have full details, it will report what information it has and provide full details within fifteen (15) Business Days of discovery. To the extent possible, these reports must include the following: A. The identification of each individual whose PHI has been or may have been improperly accessed, acquired, used, or disclosed. B. The nature of the unauthorized use or disclosure, including a brief description of what happened, the date of the event(s), and the date of discovery. C. A description of the types of PHI involved; D. The investigative and remedial actions the Contractor or its Subcontractor took or will take to prevent and mitigate harmful effects and protect against recurrence. E. Any details necessary for a determination of the potential harm to Clients whose PHI is believed to have been used or disclosed and the steps those Clients should take to protect themselves; and F. Any other information HCA reasonably requests. 10.3 The Contractor must also take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or HCA including but not limited to 45 C.F.R. Part 164 Subpart D; RCW 42.56.590; RCW 19.255.010; or WAC 000-00-000. 10.4 If notification must, in the sole judgement of HCA, must be made Contractor will further cooperate and facilitate notification to necessary individuals, to the U.S. Department of Health and Human Services (DHHS) Secretary, and to the media. At HCA’s discretion, Contractor may be required to directly perform notification requirements, or if HCA elects to perform the notifications, Contractor must reimburse HCA for all costs associated with notification(s). 10.5 Contractor is responsible for all costs incurred in connection with a security incident, Data Breach, or potential compromise of Data, including: A. The reasonable costs of notification to individuals, media, and governmental agencies and of other actions HCA reasonably considers appropriate to protect HCA clients. B. Computer forensics assistance to assess the impact of a Data Breach, determine root cause, and help determine whether and the extent to which notification must be provided to comply with Data Breach notification laws. C. Notification and call center services, and other appropriate services (as determined exclusively by HCA) for individuals affected by a security incident or Data Breach, including fraud prevention, credit monitoring, and identify theft assistance; and D. Regulatory defense, fines, and penalties from any claim in the form of a regulatory proceeding resulting from a violation of any applicable privacy or security law(s) or regulation(s). E. Compensation to HCA clients for xxxxx caused to them by any Data Breach or possible Data Breach. 10.6 Any Breach of this section may result in termination of the Contract and the demand for return or disposition, as described in Section 6.3, of all HCA Data. 10.7 Contractor’s obligations regarding Data Breach notification survive the termination of this Contract and continue for as long as Contractor maintains the Data and for any Data Breach or potential compromise, at any time.

Data Breach Notification and Obligations. 10.1 ‌ 11.1 The Data Breach or potential compromise of Data shared under this Contract must be reported to the HCA Privacy Officer at XxxxxxxXxxxxxx@xxx.xx.xxx within one (1) business day of discovery. 10.2 11.2 If the Data Breach or potential compromise of Data includes PHI, and the Contractor does not have full details, it will report what information it has and provide full details within fifteen (15) Business Days 15 business days of discovery. To the extent possible, these reports must include the following: A. : The identification of each individual whose PHI has been or may have been improperly accessed, acquired, used, or disclosed. B. ; The nature of the unauthorized use or disclosure, including a brief description of what happened, the date of the event(s), and the date of discovery. C. ; A description of the types of PHI involved; D. ; The investigative and remedial actions the Contractor or its Subcontractor took or will take to prevent and mitigate harmful effects and protect against recurrence. E. ; Any details necessary for a determination of the potential harm to Clients whose PHI is believed to have been used or disclosed and the steps those Clients should take to protect themselves; and F. and Any other information HCA reasonably requests. 10.3 11.3 The Contractor must also take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or HCA including but not limited to 45 C.F.R. Part 164 Subpart D; RCW 42.56.590; RCW 19.255.010; or WAC 000-00-000. 10.4 11.4 If notification must, in the sole judgement of HCA, must be made Contractor will further cooperate and facilitate notification to necessary individuals, to the U.S. Department of Health and Human Services (DHHS) Secretary, and to the media. At HCA’s discretion, Contractor may be required to directly perform notification requirements, or if HCA elects to perform the notifications, Contractor must reimburse HCA for all costs associated with notification(s). 10.5 11.5 Contractor is responsible for all costs incurred in connection with a security incident, Data Breach, or potential compromise of Data, including: A. : The reasonable costs of notification to individuals, media, and governmental agencies and of other actions HCA reasonably considers appropriate to protect HCA clients. B. . Computer forensics assistance to assess the impact of a Data Breach, determine root cause, and help determine whether and the extent to which notification must be provided to comply with Data Breach notification laws. C. ; Notification and call center services, and other appropriate services (as determined exclusively by HCA) for individuals affected by a security incident or Data Breach, including fraud prevention, credit monitoring, and identify theft assistance; and D. and Regulatory defense, fines, and penalties from any claim in the form of a regulatory proceeding resulting from a violation of any applicable privacy or security law(s) or regulation(s). E. . Compensation to HCA clients for xxxxx caused to them by any Data Breach or possible Data Breach. 10.6 11.6 Any Breach of this section may result in termination of the Contract and the demand for return or disposition, as described in Section 6.37.4, of all HCA Data. 10.7 11.7 Contractor’s obligations regarding Data Breach notification survive the termination of this Contract and continue for as long as Contractor maintains the Data and for any Data Breach or potential compromise, at any time.

Data Breach Notification and Obligations. 10.1 11.1. The Data Breach or potential compromise of Data shared under this Contract must be reported to the HCA Privacy Officer at XxxxxxxXxxxxxx@xxx.xx.xxx within one (1) business day of discovery. 10.2 11.2. If the Data Breach or potential compromise of Data includes PHI, and the Contractor does not have full details, it will report what information it has and provide full details within fifteen (15) Business Days 15 business days of discovery. To the extent possible, these reports must include the following: A. a. The identification of each individual whose PHI has been or may have been improperly accessed, acquired, used, or disclosed.; B. b. The nature of the unauthorized use Use or disclosure, including a brief description of what happened, the date of the event(s), and the date of discovery.; C. c. A description of the types of PHI involved; D. d. The investigative and remedial actions the Contractor or its Subcontractor took or will take to prevent and mitigate harmful effects and protect against recurrence.; E. e. Any details necessary for a determination of the potential harm to Clients whose PHI is believed to have been used Used or disclosed and the steps those Clients should take to protect themselves; and F. f. Any other information HCA reasonably requests. 10.3 11.3. The Contractor must also take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or HCA including but not limited to 45 C.F.R. Part 164 Subpart D; RCW 42.56.590; RCW 19.255.010; or WAC 000-00-000. 10.4 11.4. If notification must, in the sole judgement of HCA, must be made Contractor will further cooperate and facilitate notification to necessary individuals, to the U.S. Department of Health and Human Services (DHHS) Secretary, and to the media. At HCA’s discretion, Contractor may be required to directly perform notification requirements, or if HCA elects to perform the notifications, Contractor must reimburse HCA for all costs associated with notification(s). 10.5 11.5. Contractor is responsible for all costs incurred in connection with a security incident, Data incident privacy Breach, or potential compromise of Data, including: A. The reasonable costs of notification to individuals, media, and governmental agencies and of other actions HCA reasonably considers appropriate to protect HCA clients. B. a. Computer forensics assistance to assess the impact of a Data Breach, determine root cause, and help determine whether and the extent to which notification must be provided to comply with Data Breach notification laws.; C. b. Notification and call center services, and other appropriate services (as determined exclusively by HCA) for individuals affected by a security incident or Data privacy Breach, including fraud prevention, credit monitoring, and identify theft assistance; and D. c. Regulatory defense, fines, and penalties from any claim in the form of a regulatory proceeding resulting from a violation of any applicable privacy or security law(s) or regulation(s). E. Compensation to HCA clients for xxxxx caused to them by any Data Breach or possible Data Breach. 10.6 11.6. Any Breach breach of this section may result in termination of the Contract and the demand for return or disposition, as described in Section 6.3Error! Reference source not found., of all HCA Data. 10.7 11.7. Contractor’s obligations regarding Data Breach breach notification survive the termination of this Contract and continue for as long as Contractor maintains the Data and for any Data Breach or potential compromise, at any time.

Data Breach Notification and Obligations. 10.1 ‌ A. The Data Breach or potential compromise of Data shared under this Contract must be reported to the HCA Privacy Officer at XxxxxxxXxxxxxx@xxx.xx.xxx within one (1) business day of discovery. 10.2 B. If the Data Breach or potential compromise of Data includes PHI, and the Contractor does not have full details, it will report what information it has and provide full details within fifteen (15) Business Days 15 business days of discovery. To the extent possible, these reports must include the following: A. i. The identification of each individual whose PHI has been or may have been improperly accessed, acquired, used, or disclosed.; B. ii. The nature of the unauthorized use or disclosure, including a brief description of what happened, the date of the event(s), and the date of discovery.; C. iii. A description of the types of PHI involved; D. iv. The investigative and remedial actions the Contractor or its Subcontractor took or will take to prevent and mitigate harmful effects and protect against recurrence.; E. v. Any details necessary for a determination of the potential harm to Clients whose PHI is believed to have been used or disclosed and the steps those Clients should take to protect themselves; and F. vi. Any other information HCA reasonably requests. 10.3 C. The Contractor must also take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or HCA including but not limited to 45 C.F.R. Part 164 Subpart D; RCW 42.56.590; RCW 19.255.010; or WAC 000-00-000. 10.4 D. If notification must, in the sole judgement of HCA, must be made Contractor will further cooperate and facilitate notification to necessary individuals, to the U.S. Department of Health and Human Services (DHHS) Secretary, and to the media. At HCA’s discretion, Contractor may be required to directly perform notification requirements, or if HCA elects to perform the notifications, Contractor must reimburse HCA for all costs associated with notification(s). 10.5 E. Contractor is responsible for all costs incurred in connection with a security incident, Data Breach, or potential compromise of Data, including: A. i. The reasonable costs of notification to individuals, media, and governmental agencies and of other actions HCA reasonably considers appropriate to protect HCA clients. B. ii. Computer forensics assistance to assess the impact of a Data Breach, determine root cause, and help determine whether and the extent to which notification must be provided to comply with Data Breach notification laws.; C. iii. Notification and call center services, and other appropriate services (as determined exclusively by HCA) for individuals affected by a security incident or Data Breach, including fraud prevention, credit monitoring, and identify theft assistance; and D. iv. Regulatory defense, fines, and penalties from any claim in the form of a regulatory proceeding resulting from a violation of any applicable privacy or security law(s) or regulation(s). E. v. Compensation to HCA clients for xxxxx caused to them by any Data Breach or possible Data Breach. 10.6 F. Any Breach of this section may result in termination of the Contract and the demand for return or disposition, as described in Section 6.3, of all HCA Data. 10.7 G. Contractor’s obligations regarding Data Breach notification survive the termination of this Contract and continue for as long as Contractor maintains the Data and for any Data Breach or potential compromise, at any time.

Data Breach Notification and Obligations. 10.1 11.1. The Data Breach or potential compromise of Data shared under this Contract DSA must be reported to the HCA Privacy Officer at XxxxxxxXxxxxxx@xxx.xx.xxx within one (1) business day of discovery. 10.2 11.2. If the Data Breach or potential compromise of Data includes PHI, and the Contractor Receiving Party does not have full details, it will report what information it has and provide full details within fifteen (15) Business Days 15 business days of discovery. To the extent possible, these reports must include the following: A. a. The identification of each individual whose PHI has been or may have been improperly accessed, acquired, used, or disclosed.; B. b. The nature of the unauthorized use Use or disclosure, including a brief description of what happened, the date of the event(s), and the date of discovery.; C. c. A description of the types of PHI involved; D. d. The investigative and remedial actions the Contractor or its Subcontractor took or will take to prevent and mitigate harmful effects and protect against recurrence.; E. e. Any details necessary for a determination of the potential harm to Clients whose PHI is believed to have been used Used or disclosed and the steps those Clients should take to protect themselves; and F. f. Any other information HCA reasonably requests. 10.3 11.3. The Contractor Receiving Party must also take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or HCA including but not limited to 45 C.F.R. Part 164 Subpart D; RCW 42.56.590; RCW 19.255.010; or WAC 000-00-000. 10.4 11.4. If notification must, in the sole judgement of HCA, must be made Contractor Receiving Party will further cooperate and facilitate notification to necessary individuals, to the U.S. Department of Health and Human Services (DHHS) Secretary, and to the media. At HCA’s discretion, Contractor Receiving Party may be required to directly perform notification requirements, or if HCA elects to perform the notifications, Contractor Receiving Party must reimburse HCA for all costs associated with notification(s). 10.5 Contractor 11.5. Receiving Party is responsible for all costs incurred in connection with a security incident, Data incident privacy Breach, or potential compromise of Data, including: A. The reasonable costs of notification to individuals, media, and governmental agencies and of other actions HCA reasonably considers appropriate to protect HCA clients. B. a. Computer forensics assistance to assess the impact of a Data Breach, determine root cause, and help determine whether and the extent to which notification must be provided to comply with Data Breach notification laws.; C. b. Notification and call center services, and other appropriate services (as determined exclusively by HCA) for individuals affected by a security incident or Data privacy Breach, including fraud prevention, credit monitoring, and identify theft assistance; and D. c. Regulatory defense, fines, and penalties from any claim in the form of a regulatory proceeding resulting from a violation of any applicable privacy or security law(s) or regulation(s). E. Compensation to HCA clients for xxxxx caused to them by any Data Breach or possible Data Breach. 10.6 11.6. Any Breach breach of this section may result in termination of the Contract DSA and the demand for return or disposition, as described in Section 6.3, of all HCA Data. 10.7 Contractor11.7. Receiving Party’s obligations regarding Data Breach breach notification survive the termination of this Contract DSA and continue for as long as Contractor Receiving Party maintains the Data and for any Data Breach or potential compromiseBreach, at any time.

Data Breach Notification and Obligations. 10.1 The Data Breach or potential compromise of Data shared under this Contract must be reported to the HCA Privacy Officer at XxxxxxxXxxxxxx@xxx.xx.xxx within one (1) business day of discovery. 10.2 . If the Data Breach or potential compromise of Data includes PHI, and the Contractor does not have full details, it will report what information it has within one (1) business day of discovery and provide full details within fifteen (15) Business Days business days of discovery. To the extent possible, these reports must include the following: A. : The identification of each individual whose PHI has been or may have been improperly accessed, acquired, used, or disclosed. B. ; The nature of the unauthorized use Use or disclosure, including a brief description of what happened, the date of the event(s), and the date of discovery. C. ; A description of the types of PHI involved; D. ; The investigative and remedial actions the Contractor or its Subcontractor took or will take to prevent and mitigate harmful effects and protect against recurrence. E. ; Any details necessary for a determination of the potential harm to Clients whose PHI is believed to have been used Used or disclosed and the steps those Clients should take to protect themselves; and F. and Any other information HCA reasonably requests. 10.3 . The Contractor must also take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or HCA including but not limited to 45 C.F.R. Part 164 Subpart D; RCW 42.56.590; RCW 19.255.010; or WAC 000-00-000. 10.4 . If notification must, in the sole judgement of HCA, must be made Contractor will further cooperate and facilitate notification to necessary individuals, to the U.S. Department of Health and Human Services (DHHS) Secretary, and to the media. At HCA’s discretion, Contractor may be required to directly perform notification requirements, or if HCA elects to perform the notifications, Contractor must reimburse HCA for all costs associated with notification(s). 10.5 . Contractor is responsible for all costs incurred in connection with a security incident, Data incident privacy Breach, or potential compromise of Data, including: A. The reasonable costs of notification to individuals, media, and governmental agencies and of other actions HCA reasonably considers appropriate to protect HCA clients. B. : Computer forensics assistance to assess the impact of a Data Breach, determine root cause, and help determine whether and the extent to which notification must be provided to comply with Data Breach notification laws. C. ; Notification and call center services, and other appropriate services (as determined exclusively by HCA) for individuals affected by a security incident or Data privacy Breach, including fraud prevention, credit monitoring, and identify theft assistance; and D. and Regulatory defense, fines, and penalties from any claim in the form of a regulatory proceeding resulting from a violation of any applicable privacy or security law(s) or regulation(s). E. Compensation to HCA clients for xxxxx caused to them by any Data Breach or possible Data Breach. 10.6 . Any Breach breach of this section may result in termination of the Contract and the demand for return or disposition, as described in Section 6.37.3, of all HCA Data. 10.7 . Contractor’s obligations regarding Data Breach breach notification survive the termination of this Contract and continue for as long as Contractor maintains the Data and for any Data Breach or potential compromise, at any time. This section of the Schedule is the Business Associate Agreement required by HIPAA. The Contractor is a “Business Associate” of HCA as defined in the HIPAA Rules. HIPAA Point of Contact. The point of contact for the Contractor for all required HIPAA-related reporting and notification communications from this Section 12., HIPAA Compliance, and all required Data Breach notification communications from Section 11., Data Breach Notification and Obligations, is: HCA Privacy Officer Washington State Health Care Authority 000 0xx Xxxxxx XX Olympia, WA 00000-0000 Telephone: (000) 000-0000 E-mail: XxxxxxxXxxxxxx@xxx.xx.xxx

Data Breach Notification and Obligations. 10.1 The Data Breach or potential compromise of Data shared under this Contract must be reported to the HCA Privacy Officer at XxxxxxxXxxxxxx@xxx.xx.xxx within one (1) business day of discovery. 10.2 If the Data Breach or potential compromise of Data includes PHI, and the Contractor does not have full details, it will report what information it has and provide full details within fifteen (15) Business Days 15 business days of discovery. To the extent possible, these reports must include the following: A. The identification of each individual whose PHI has been or may have been improperly accessed, acquired, used, or disclosed.; B. The nature of the unauthorized use or disclosure, including a brief description of what happened, the date of the event(s), and the date of discovery.; C. A description of the types of PHI involved; D. The investigative and remedial actions the Contractor or its Subcontractor took or will take to prevent and mitigate harmful effects and protect against recurrence.; E. Any details necessary for a determination of the potential harm to Clients whose PHI is believed to have been used or disclosed and the steps those Clients should take to protect themselves; and F. Any other information HCA reasonably requests. 10.3 The Contractor must also take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or HCA including but not limited to 45 C.F.R. Part 164 Subpart D; RCW 42.56.590; RCW 19.255.010; or WAC 000-00-000. 10.4 If notification must, in the sole judgement of HCA, must be made Contractor will further cooperate and facilitate notification to necessary individuals, to the U.S. Department of Health and Human Services (DHHS) Secretary, and to the media. At HCA’s discretion, Contractor may be required to directly perform notification requirements, or if HCA elects to perform the notifications, Contractor must reimburse HCA for all costs associated with notification(s). 10.5 Contractor is responsible for all costs incurred in connection with a security incident, Data Breach, or potential compromise of Data, including: A. The reasonable costs of notification to individuals, media, and governmental agencies and of other actions HCA reasonably considers appropriate to protect HCA clients. B. Computer forensics assistance to assess the impact of a Data Breach, determine root cause, and help determine whether and the extent to which notification must be provided to comply with Data Breach notification laws.; C. Notification and call center services, and other appropriate services (as determined exclusively by HCA) for individuals affected by a security incident or Data Breach, including fraud prevention, credit monitoring, and identify theft assistance; and D. Regulatory defense, fines, and penalties from any claim in the form of a regulatory proceeding resulting from a violation of any applicable privacy or security law(s) or regulation(s). E. Compensation to HCA clients for xxxxx caused to them by any Data Breach or possible Data Breach. 10.6 Any Breach of this section may result in termination of the Contract and the demand for return or disposition, as described in Section 6.36.4, of all HCA Data. 10.7 Contractor’s obligations regarding Data Breach notification survive the termination of this Contract and continue for as long as Contractor maintains the Data and for any Data Breach or potential compromise, at any time.

Data Breach Notification and Obligations. 10.1 ‌ A. The Data Breach or potential compromise of Data shared under this Contract must be reported to the HCA Privacy Officer at XxxxxxxXxxxxxx@xxx.xx.xxx within one (1) business day of discovery. 10.2 B. If the Data Breach or potential compromise of Data includes PHI, and the Contractor does not have full details, it will report what information it has and provide full details within fifteen (15) Business Days 15 business days of discovery. To the extent possible, these reports must include the following: A. i. The identification of each individual whose PHI has been or may have been improperly accessed, acquired, used, or disclosed.; B. ii. The nature of the unauthorized use or disclosure, including a brief description of what happened, the date of the event(s), and the date of discovery.; C. iii. A description of the types of PHI involved; D. iv. The investigative and remedial actions the Contractor or its Subcontractor took or will take to prevent and mitigate harmful effects and protect against recurrence.; E. v. Any details necessary for a determination of the potential harm to Clients whose PHI is believed to have been used or disclosed and the steps those Clients should take to protect themselves; and F. vi. Any other information HCA reasonably requests. 10.3 C. The Contractor must also take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or HCA including but not limited to 45 C.F.R. Part 164 Subpart D; RCW 42.56.590; RCW 19.255.010; or WAC 000-00-000. 10.4 D. If notification must, in the sole judgement of HCA, must be made Contractor will further cooperate and facilitate notification to necessary individuals, to the U.S. Department of Health and Human Services (DHHS) Secretary, and to the media. At HCA’s discretion, Contractor may be required to directly perform notification requirements, or if HCA elects to perform the notifications, Contractor must reimburse HCA for all costs associated with notification(s). 10.5 E. Contractor is responsible for all costs incurred in connection with a security incident, Data Breach, or potential compromise of Data, including: A. i. The reasonable costs of notification to individuals, media, and governmental agencies and of other actions HCA reasonably considers appropriate to protect HCA clients. B. ii. Computer forensics assistance to assess the impact of a Data Breach, determine root cause, and help determine whether and the extent to which notification must be provided to comply with Data Breach notification laws.; C. iii. Notification and call center services, and other appropriate services (as determined exclusively by HCA) for individuals affected by a security incident or Data Breach, including fraud prevention, credit monitoring, and identify theft assistance; and D. iv. Regulatory defense, fines, and penalties from any claim in the form of a regulatory proceeding resulting from a violation of any applicable privacy or security law(s) or regulation(s). E. v. Compensation to HCA clients for xxxxx caused to them by any Data Breach or possible Data Breach. 10.6 F. Any Breach of this section may result in termination of the Contract and the demand for return or disposition, as described in Section 6.35(c), of all HCA Data. 10.7 G. Contractor’s obligations regarding Data Breach notification survive the termination of this Contract and continue for as long as Contractor maintains the Data and for any Data Breach or potential compromise, at any time.

Data Breach Notification and Obligations. 10.1 ‌ 11.1 The Data Breach or potential compromise of Data shared under this Contract must be reported to the HCA Privacy Officer at XxxxxxxXxxxxxx@xxx.xx.xxx within one (1) business day of discovery. 10.2 11.2 If the Data Breach or potential compromise of Data includes PHI, and the Contractor does not have full details, it will report what information it has and provide full details within fifteen (15) Business Days 15 business days of discovery. To the extent possible, these reports must include the following: A. a. The identification of each individual whose PHI has been or may have been improperly accessed, acquired, used, or disclosed.; B. b. The nature of the unauthorized use Use or disclosure, including a brief description of what happened, the date of the event(s), and the date of discovery.; C. c. A description of the types of PHI involved; D. d. The investigative and remedial actions the Contractor or its Subcontractor took or will take to prevent and mitigate harmful effects and protect against recurrence.; E. e. Any details necessary for a determination of the potential harm to Clients whose PHI is believed to have been used Used or disclosed and the steps those Clients should take to protect themselves; and F. f. Any other information HCA reasonably requests. 10.3 11.3 The Contractor must also take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or HCA including but not limited to 45 C.F.R. Part 164 Subpart D; RCW 42.56.590; RCW 19.255.010; or WAC 000-00-000. 10.4 11.4 If notification must, in the sole judgement of HCA, must be made Contractor will further cooperate and facilitate notification to necessary individuals, to the U.S. Department of Health and Human Services (DHHS) Secretary, and to the media. At HCA’s discretion, Contractor may be required to directly perform notification requirements, or if HCA elects to perform the notifications, Contractor must reimburse HCA for all costs associated with notification(s). 10.5 11.5 Contractor is responsible for all costs incurred in connection with a security incident, Data incident privacy Breach, or potential compromise of Data, including: A. The reasonable costs of notification to individuals, media, and governmental agencies and of other actions HCA reasonably considers appropriate to protect HCA clients. B. a. Computer forensics assistance to assess the impact of a Data Breach, determine root cause, and help determine whether and the extent to which notification must be provided to comply with Data Breach notification laws.; C. b. Notification and call center services, and other appropriate services (as determined exclusively by HCA) for individuals affected by a security incident or Data privacy Breach, including fraud prevention, credit monitoring, and identify theft assistance; and D. c. Regulatory defense, fines, and penalties from any claim in the form of a regulatory proceeding resulting from a violation of any applicable privacy or security law(s) or regulation(s). E. Compensation to HCA clients for xxxxx caused to them by any Data Breach or possible Data Breach. 10.6 11.6 Any Breach breach of this section may result in termination of the Contract and the demand for return or disposition, as described in Section 6.37.3, of all HCA Data. 10.7 11.7 Contractor’s obligations regarding Data Breach breach notification survive the termination of this Contract and continue for as long as Contractor maintains the Data and for any Data Breach or potential compromise, at any timetime/ 11. HIPAA COMPLIANCE‌ This section of the Schedule is the Business Associate Agreement required by HIPAA. The Contractor is a “Business Associate” of HCA as defined in the HIPAA Rules. 12.1 HIPAA Point of Contact. The point of contact for the Contractor for all required HIPAA- related reporting and notification communications from this Section 13, HIPAA Compliance, and all required Data Breach notification communications from Section 12, Data Breach Notification and Obligations, is: HCA Privacy Officer Washington State Health Care Authority 000 0xx Xxxxxx XX Olympia, WA 00000-0000 Telephone: (000) 000-0000 E-mail: XxxxxxxXxxxxxx@xxx.xx.xxx

Data Breach Notification and Obligations. 10.1 9.1 The Data Breach or potential compromise of Data shared under this Contract must be reported to the HCA Privacy Officer at XxxxxxxXxxxxxx@xxx.xx.xxx within one (1) business day of discovery. 10.2 9.2 If the Data Breach or potential compromise of Data includes PHI, and the Contractor does not have full details, it will report what information it has and provide full details within fifteen (15) Business Days 15 business days of discovery. To the extent possible, these reports must include the following: A. The identification of each individual whose PHI has been or may have been improperly accessed, acquired, used, or disclosed.; B. The nature of the unauthorized use or disclosure, including a brief description of what happened, the date of the event(s), and the date of discovery.; C. A description of the types of PHI involved; D. The investigative and remedial actions the Contractor or its Subcontractor took or will take to prevent and mitigate harmful effects and protect against recurrence.; E. Any details necessary for a determination of the potential harm to Clients whose PHI is believed to have been used or disclosed and the steps those Clients should take to protect themselves; and F. Any other information HCA reasonably requests. 10.3 9.3 The Contractor must also take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or HCA including but not limited to 45 C.F.R. Part 164 Subpart D; RCW 42.56.590; RCW 19.255.010; or WAC 000-00-000. 10.4 9.4 If notification must, in the sole judgement of HCA, must be made Contractor will further cooperate and facilitate notification to necessary individuals, to the U.S. Department of Health and Human Services (DHHS) Secretary, and to the media. At HCA’s discretion, Contractor may be required to directly perform notification requirements, or if HCA elects to perform the notifications, Contractor must reimburse HCA for all costs associated with notification(s). 10.5 9.5 Contractor is responsible for all costs incurred in connection with a security incident, Data Breach, or potential compromise of Data, including: A. The reasonable costs of notification to individuals, media, and governmental agencies and of other actions HCA reasonably considers appropriate to protect HCA clients. B. Computer forensics assistance to assess the impact of a Data Breach, determine root cause, and help determine whether and the extent to which notification must be provided to comply with Data Breach notification laws.; C. Notification and call center services, and other appropriate services (as determined exclusively by HCA) for individuals affected by a security incident or Data Breach, including fraud prevention, credit monitoring, and identify theft assistance; and D. Regulatory defense, fines, and penalties from any claim in the form of a regulatory proceeding resulting from a violation of any applicable privacy or security law(s) or regulation(s). E. Compensation to HCA clients for xxxxx caused to them by any Data Breach or possible Data Breach. 10.6 9.6 Any Breach of this section may result in termination of the Contract and the demand for return or disposition, as described in Section 6.36.4, of all HCA Data. 10.7 9.7 Contractor’s obligations regarding Data Breach notification survive the termination of this Contract and continue for as long as Contractor maintains the Data and for any Data Breach or potential compromise, at any time.