Common use of Notification to Covered Entity Clause in Contracts

Notification to Covered Entity. If, after completing such risk assessment, Business Associate concludes that there was an ARRA Breach, Business Associate shall notify the Covered Entity of the ARRA Breach as soon as reasonably possible, and in all cases within five (5) business days of the first day on which any employee, officer or agent of Business Associate either knows or by exercising reasonable diligence would have known that an ARRA Breach occurred. The notification to Covered Entity shall include, if known, the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used or disclosed during such ARRA Breach. The notification shall also include: (a) a brief description of what happened, including the date of the ARRA Breach and the date of the discovery of the ARRA Breach, if known; (b) a description of the types of Unsecured PHI that were involved in the ARRA Breach (such as whether the full name, social security number, date of birth, home address, account number, diagnosis disability code or other types of information were involved); (c) recommended steps that Individuals should take to protect themselves from potential harm resulting from the ARRA Breach; and (d) a brief description of what the Business Associate is doing to investigate the ARRA Breach, to mitigate harm to Individuals, and to protect against any further ARRA Breaches. Business Associate shall maintain evidence to demonstrate that any required risk assessment was completed and notification to the Covered Entity under this paragraph was made unless the Business Associate determines that a delayed notice (as described in Section 4.3) applies.