Notice and Reporting Obligations of Business Associate. (a) Business Associate shall notify Covered Entity within twenty-one (21) days after discovery by Business Associate, any unauthorized access, use, disclosure, modification, or destruction of PHI (including any successful Security Incident) that is not permitted by this Addendum, by applicable law, or permitted in writing by Covered Entity. (b) Business Associate shall, as required by law, notify Covered Entity of the discovery of any Breach of Unsecured Protected Health Information. Notice must be made without any unreasonable delay and no later than twenty-one (21) days after discovery of the Breach by Business Associate. (c) As provided for in 45 C.F.R. Sec. 164.402, Business Associate recognizes and agrees that any acquisition, access, use or disclosure of Unsecured PHI in a manner not permitted under the HIPAA Privacy Rule (Subpart E of 45 C.F.R. Part 164) is presumed to be a Breach. As such, Business Associate shall assist Covered Entity in performing a risk assessment to examine whether there is a low probability that the Unsecured PHI has been compromised to determine whether a Breach has in fact occurred. Business Associate shall cooperate with Covered Entity in furtherance of Covered Entity’s Breach notification obligations under the HIPAA Requirements by: • Identifying each individual (if known) whose Unsecured PHI has been or is reasonably believed to have been accessed, acquired, or disclosed. • Identifying the nature of the Breach, including the date of the Breach and date of thediscovery. • Identifying the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. • Identifying the unauthorized person who used the PHI or to whom the disclosure was made. • Determining whether the PHI was actually acquired or viewed. • Identifying what corrective or investigational action Business Associate took or will take to prevent further non-permitted accesses, uses, ordisclosures. • Determining the extent to which the risk to the PHI has been or will be mitigated by Business Associate. • Determining whether the incident falls under any of the Breach notification exceptions.
Appears in 3 contracts
Samples: Administrative Services Agreement, Administrative Services Agreement, Administrative Services Agreement
Notice and Reporting Obligations of Business Associate. (a) Business Associate shall notify Covered Entity within twenty-one (21) days after discovery by Business Associate, any unauthorized access, use, disclosure, modification, or destruction of PHI (including any successful Security Incident) that is not permitted by this Addendum, by applicable law, or permitted in writing by Covered Entity.
(b) Business Associate shall, as required by law, notify Covered Entity of the discovery of any Breach of Unsecured Protected Health Information. Notice must be made without any unreasonable delay and no later than twenty-one (21) days after discovery of the Breach by Business Associate.
(c) As provided for in 45 C.F.R. Sec. 164.402, Business Associate recognizes and agrees that any acquisition, access, use or disclosure of Unsecured PHI in a manner not permitted under the HIPAA Privacy Rule (Subpart E of 45 C.F.R. Part 164) is presumed to be a Breach. As such, Business Associate shall assist Covered Entity in performing a risk assessment to examine whether there is a low probability that the Unsecured PHI has been compromised to determine whether a Breach has in fact occurred. Business Associate shall cooperate with Covered Entity in furtherance of Covered Entity’s Breach notification obligations under the HIPAA Requirements by: • Identifying each individual (if known) whose Unsecured PHI has been or is reasonably believed to have been accessed, acquired, or disclosed. • Identifying the nature of the Breach, including the date of the Breach and date of thediscoverythe discovery. • Identifying the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. • Identifying the unauthorized person who used the PHI or to whom the disclosure was made. • Determining whether the PHI was actually acquired or viewed. • Identifying what corrective or investigational action Business Associate took or will take to prevent further non-permitted accesses, uses, ordisclosuresor disclosures. • Determining the extent to which the risk to the PHI has been or will be mitigated by Business Associate. • Determining whether the incident falls under any of the Breach notification exceptions.
Appears in 1 contract
Samples: Administrative Services Agreement