Documenting and Reporting Breaches. 6.1 Business Associate shall report to Covered Entity any Breach of Unsecured PHI, including Breaches reported to it by a Subcontractor, as soon as it (or any of its employees or agents) becomes aware of any such Breach, and in no case later than two (2) business days after it (or any of its employees or agents) becomes aware of the Breach, except when a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security.
6.2 Business Associate shall provide Covered Entity with the names of the individuals whose Unsecured PHI has been, or is reasonably believed to have been, the subject of the Breach and any other available information that is required to be given to the affected individuals, as set forth in 45 CFR § 164.404(c), and, if requested by Covered Entity, information necessary for Covered Entity to investigate the impermissible use or disclosure. Business Associate shall continue to provide to Covered Entity information concerning the Breach as it becomes available to it. Business Associate shall require its Subcontractor(s) to agree to these same terms and conditions.
6.3 When Business Associate determines that an impermissible acquisition, use or disclosure of PHI by a member of its workforce is not a Breach, as that term is defined in 45 CFR § 164.402, and therefore does not necessitate notice to the impacted individual(s), it shall document its assessment of risk, conducted as set forth in 45 CFR § 402(2). When requested by Covered Entity, Business Associate shall make its risk assessments available to Covered Entity. It shall also provide Covered Entity with 1) the name of the person(s) making the assessment, 2) a brief summary of the facts, and 3) a brief statement of the reasons supporting the determination of low probability that the PHI had been compromised. When a breach is the responsibility of a member of its Subcontractor’s workforce, Business Associate shall either 1) conduct its own risk assessment and draft a summary of the event and assessment or 2) require its Subcontractor to conduct the assessment and draft a summary of the event. In either case, Business Associate shall make these assessments and reports available to Covered Entity.
6.4 Business Associate shall require, by contract, a Subcontractor to report to Business Associate and Covered Entity any Breach of which the Subcontractor becomes aware, no later than two (2) business days after becomes aware of the B...
Documenting and Reporting Breaches. Business Partner shall report to DVHA any Breach of PII as soon as it (or any of its employees or agents) becomes aware of such Breach, and in no case later than one (1) hour after it (or any of its employees or agents) become aware of the Breach. If DVHA determines that a Breach of PII occurred for which one of Business Partner’s employees or agents was responsible, upon its request, Business Partner shall provide notice to the individual(s) whose PII was the subject of the Breach. When requested to provide notice, Business Partner shall consult with DVHA about the timeliness, content and method of notice, and shall receive DVHA’s approval concerning these elements. The cost of notice and related remedies shall be borne by Business Partner. Business Partner shall also be responsible for any reporting as required by 9 V.S.A. § 2435.
Documenting and Reporting Breaches. 5.1 Business Associate shall report to Covered Entity any Breach of Unsecured PHI as soon as it (or any of its employees or agents) become aware of any such Breach, and in no case later than three (3) business days after it (or any of its employees or agents) becomes aware of the Breach, except when a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security.
5.2 Business Associate shall provide Covered Entity with the names of the individuals whose Unsecured PHI has been, or is reasonably believed to have been, the subject of the Breach and any other available information that is required to be given to the affected individuals, as set forth in 45 CFR §164.404(c), and, if requested by Covered Entity, information necessary for Covered Entity to investigate the impermissible use or disclosure. Business Associate shall continue to provide to Covered Entity information concerning the Breach as it becomes available to it.
5.3 When Business Associate determines that an impermissible acquisition, use or disclosure of PHI by a member of its workforce does not pose a significant risk of harm to the affected individuals, it shall document its assessment of risk. Such assessment shall include: 1) the name of the person(s) making the assessment, 2) a brief summary of the facts, and 3) a brief statement of the reasons supporting the determination of low risk of harm. When requested by Covered Entity, Business Associate shall make its risk assessments available to Covered Entity.
Documenting and Reporting Breaches. 6.1 Business Associate shall report to Covered Entity any Breach of Unsecured PHI, including Breaches reported to it by a Subcontractor, as soon as it (or any of its employees or agents) becomes aware of any such Breach, and in no case later than two
