Common use of Initial Notice to the Department Clause in Contracts

Initial Notice to the Department. (1) To notify the Department immediately by telephone call or email or fax upon the discovery of a breach of unsecured PHI in electronic media or in any other media if the PHI was, or is reasonably believed to have been, accessed or acquired by an unauthorized person. (2) To notify the Department within 24 hours (one hour if SSA data) by email or fax of the discovery of any suspected security incident, intrusion or unauthorized access, use or disclosure of PHI in violation of this Agreement or this Exhibit E-1, or potential loss of confidential data affecting this Agreement. A breach shall be treated as discovered by Contractor as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach) who is an employee, officer or other agent of Contractor. Notice shall be provided to the Information Protection Unit, Office of HIPAA Compliance. If the incident occurs after business hours or on a weekend or holiday and involves electronic PHI, notice shall be provided by calling the Information Protection Unit (916.445.4646, 866-866-0602) or by emailing xxxxxxxxxxxxxx@xxxx.xx.xxx). Notice shall be made using the DHCS “Privacy Incident Report” form, including all information known at the time. Contractor shall use the most current version of this form, which is posted on the DHCS Information Security Officer website (xxx.xxxx.xx.xxx, then select “Privacy” in the left column and then “Business Partner” near the middle of the page) or use this link: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/DH CSBusinessAssociatesOnly.aspx Upon discovery of a breach or suspected security incident, intrusion or unauthorized access, use or disclosure of Department PHI, Contractor shall take:

Initial Notice to the Department. (1) To notify the Department immediately by telephone call or email or fax upon the discovery of a breach of unsecured PHI in electronic media or in any other media if the PHI was, or is reasonably believed to have been, accessed or acquired by an unauthorized person. (2) To notify the Department within 24 hours (one hour if SSA data) by email or fax of the discovery of any suspected security incident, intrusion or unauthorized access, use or disclosure of PHI in violation of this Agreement or this Exhibit E-1, or potential loss of confidential data affecting this Agreement. A breach shall be treated as discovered by Contractor as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach) who is an employee, officer or other agent of Contractor. Contractor.‌‌‌‌‌ Notice shall be provided to the Information Protection Unit, Office of HIPAA Compliance. If the incident occurs after business hours or on a weekend or holiday and involves electronic PHI, notice shall be provided by calling the Information Protection Unit (916.445.4646, 866-866-0602) or by emailing xxxxxxxxxxxxxx@xxxx.xx.xxx). Notice shall be made using the DHCS “Privacy Incident Report” form, including all information known at the time. Contractor shall use the most current version of this form, which is posted on the DHCS Information Security Officer website (xxx.xxxx.xx.xxx, then select “Privacy” in the left column and then “Business Partner” near the middle of the page) or use this link: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/DH CSBusinessAssociatesOnly.aspx Upon discovery of a breach or suspected security incident, intrusion or unauthorized access, use or disclosure of Department PHI, Contractor shall take:

Initial Notice to the Department. (1) To notify the Department immediately by telephone call or email or fax upon the discovery of a breach of unsecured PHI in electronic media or in any other media if the PHI was, or is reasonably believed to have been, accessed or acquired by an unauthorized person. (2) To notify the Department within 24 hours (one hour if SSA data) by email or fax of the discovery of any suspected security incident, intrusion or unauthorized access, use or disclosure of PHI in violation of this Agreement or this Exhibit E-1, F-1 or potential loss of confidential data affecting this Agreement. A breach shall be treated as discovered by Contractor as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach) who is an employee, officer or other agent of Contractor. Notice shall be provided to the Information Protection Unit, Office of HIPAA Compliance. If the incident occurs after business hours or on a weekend or holiday and involves electronic PHI, notice shall be provided by calling the Information Protection Unit (916.445.4646000) 000-0000, (866-866-0602) 866- 0602 or by emailing xxxxxxxxxxxxxx@xxxx.xx.xxx). Notice shall be made using the DHCS “Privacy Incident Report” form, including all information known at the time. Contractor shall use the most current version of this form, which is posted on the DHCS Information Security Officer website (xxx.xxxx.xx.xxx, then select “Privacy” in the left column and then “Business Partner” near the middle of the page) or use this link: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/DH CSBusinessAssociatesOnly.aspx Upon discovery of a breach or suspected security incident, intrusion or unauthorized access, use or disclosure of Department PHI, Contractor shall take:

Initial Notice to the Department. (1) To notify the Department immediately by telephone call or email or fax upon the discovery of a breach of unsecured PHI in electronic media or in any other media if the PHI was, or is reasonably believed to have been, accessed or acquired by an unauthorized person. (2) To notify the Department within 24 hours (one hour if SSA data) by email or fax of the discovery of any suspected security incident, intrusion or unauthorized access, use or disclosure of PHI in violation of this Agreement or this Exhibit E-1, F-1 or potential loss of confidential data affecting this Agreement. A breach shall be treated as discovered by Contractor as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach) who is an employee, officer or other agent of Contractor. Notice shall be provided to the Information Protection Unit, Office of HIPAA Compliance. If the incident occurs after business hours or on a weekend or holiday and involves electronic PHI, notice shall be provided by calling the Information Protection Unit (916.445.4646000) 000-0000, 866(000) 000-866-0602) 0000 or by emailing xxxxxxxxxxxxxx@xxxx.xx.xxx). Notice shall be made using the DHCS “Privacy Incident Report” form, including all information known at the time. Contractor shall use the most current version of this form, which is posted on the DHCS Information Security Officer website (xxx.xxxx.xx.xxx, then select “Privacy” in the left column and then “Business Partner” near the middle of the page) or use this link: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/DH CSBusinessAssociatesOnly.aspx xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/DHCSBu sinessAssociatesOnly.aspx Upon discovery of a breach or suspected security incident, intrusion or unauthorized access, use or disclosure of Department PHI, Contractor shall take:

Initial Notice to the Department. (1) To notify the Department immediately by telephone call or plus email or fax upon the discovery of a breach of unsecured PHI or PI in electronic media or in any other media if the PHI or PI was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, or upon the discovery of a suspected security incident that involves data provided to the Department by the Social Security Administration. (2) To notify the Department within 24 hours (one hour if SSA data) by email or fax of the discovery of any suspected security incident, intrusion or unauthorized access, use or disclosure of PHI or PI in violation of this Agreement or and this Exhibit E-1Addendum, or potential loss of confidential data affecting this Agreement. A breach shall be treated as discovered by Contractor Business Associate as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach) who is an employee, officer or other agent of ContractorBusiness Associate. Notice shall be provided to the Department Program Contract Manager and the Department Information Protection Unit, Office of HIPAA ComplianceSecurity Officer. If the incident occurs after business hours or on a weekend or holiday and involves electronic PHI, notice shall be provided by calling the Department Information Protection Unit (916.445.4646, 866-866-0602) or by emailing xxxxxxxxxxxxxx@xxxx.xx.xxx)Security Officer. Notice shall be made using the DHCS “Privacy Incident Report” form, including all information known at the time. Contractor shall use the most current version of this form, which is posted on the DHCS Information Security Officer website (xxx.xxxx.xx.xxx, then select “Privacy” in the left column and then “Business PartnerUse” near the middle of the page) or use this link: xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/DH CSBusinessAssociatesOnly.aspx xxxx://xxx.xxxx.xx.xxx/formsandpubs/laws/priv/Pages/DHCSBusin essAssociatesOnly.aspx Upon discovery of a breach or suspected security incident, intrusion or unauthorized access, use or disclosure of Department PHIPHI or PI, Contractor shall take: