Common use of Documenting and Reporting Breaches Clause in Contracts

Documenting and Reporting Breaches. 5.1 Business Associate shall report to Covered Entity any Breach of Unsecured PHI as soon as it (or any of its employees or agents) become aware of any such Breach, and in no case later than three (3) business days after it (or any of its employees or agents) becomes aware of the Breach, except when a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. 5.2 Business Associate shall provide Covered Entity with the names of the individuals whose Unsecured PHI has been, or is reasonably believed to have been, the subject of the Breach and any other available information that is required to be given to the affected individuals, as set forth in 45 CFR §164.404(c), and, if requested by Covered Entity, information necessary for Covered Entity to investigate the impermissible use or disclosure. Business Associate shall continue to provide to Covered Entity information concerning the Breach as it becomes available to it. 5.3 When Business Associate determines that an impermissible acquisition, use or disclosure of PHI by a member of its workforce does not pose a significant risk of harm to the affected individuals, it shall document its assessment of risk. Such assessment shall include: 1) the name of the person(s) making the assessment, 2) a brief summary of the facts, and 3) a brief statement of the reasons supporting the determination of low risk of harm. When requested by Covered Entity, Business Associate shall make its risk assessments available to Covered Entity.

Documenting and Reporting Breaches. 5.1 Business Associate shall report to Covered Entity any Breach of Unsecured PHI as soon as it (or any of its employees or agents) become becomes aware of any such Breach, and in no case later than three (3) business days after it (or any of its employees or agents) becomes aware of the Breach, except when a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. 5.2 Business Associate shall provide Covered Entity with the names of the individuals whose Unsecured PHI has been, or is reasonably believed to have been, the subject of the Breach and any other available information that is required to be given to the affected individuals, as set forth in 45 CFR §164.404(c), and, if requested by Covered Entity, information necessary for Covered Entity to investigate the impermissible use or disclosure. Business Associate shall continue to provide to Covered Entity information concerning the Breach as it becomes available to it. 5.3 When Business Associate determines that an impermissible acquisition, use or disclosure of PHI by a member of its workforce does not pose a significant risk of harm to the affected individualsindividual(s), it shall document its assessment of risk. Such assessment shall include: 1) the name of the person(s) making the assessment, 2) a brief summary of the facts, and 3) a brief statement of the reasons supporting the determination of low risk of harm. When requested by Covered Entity, Business Associate shall make its risk assessments available to Covered Entity.

Documenting and Reporting Breaches. 5.1 Business Associate shall report to Covered Entity any Breach of Unsecured PHI as soon as it (or any of its employees or agents) become becomes aware of any such Breach, and in no case later than three (3) business days after it (or any of its employees or agents) becomes aware of the Breach, except when a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. 5.2 Business Associate shall provide Covered Entity with the names of the individuals whose Unsecured PHI has been, or is reasonably believed to have been, the subject of the Breach and any other available information that is required to be given to the affected individuals, as set forth in 45 CFR §164.404(c), and, if requested by Covered Entity, information necessary for Covered Entity to investigate the impermissible use or disclosure. Business Associate shall continue to provide to Covered Entity information concerning the Breach as it becomes available to it. 5.3 When Business Associate determines that an impermissible acquisition, use or disclosure of PHI by a member of its workforce does not pose a significant risk of harm to the affected individuals, it shall document its assessment of risk. Such assessment shall include: 1) the name of the person(s) making the assessment, 2) a brief summary of the facts, and 3) a brief statement of the reasons supporting the determination of low risk of harm. When requested by Covered Entity, Business Associate shall make its risk assessments available to Covered Entity.