Privacy or Security Breach. The Business Associate will report to the Covered Entity any use or disclosure of the Covered Entity’s Protected Health Information not permitted by this Addendum of which it becomes aware, including breaches of Unsecured Protected Health Information as required by 45 CFR 164.40, and any Security Incident of which it becomes aware. The Business Associate will make the report to the Covered Entity’s Privacy Official not more than fifteen (15) calendar days after the Business Associate becomes aware of such non-permitted use or disclosure. If a delay is requested by a law-enforcement official in accordance with 45 CFR §164.412, the Business Associate may delay notifying the Covered Entity for the applicable time period. The Business Associate’s report will at least:
Privacy or Security Breach. Business Associate will report to Covered Entity any use or disclosure of Covered Entity’s Protected Health Information not permitted by this Agreement along with any Breach of Covered Entity’s Unsecured Protected Health Information within five (5) calendar days of discovering the breach. Business Associate will treat the Breach as being discovered in accordance with 45 CFR §164.410. Business Associate will promptly make the report to Covered Entity’s Privacy Official, and to the applicable authorities on behalf of the Covered Entity, after Business Associate learns of such non-permitted use or disclosure in a manner and time frame consistent with requirements specified in the HIPAA Privacy Regulations. If a delay is requested by a law-enforcement official in accordance with 45 CFR §164.412, Business Associate may delay notifying Covered Entity for the applicable time period. Business Associate’s report will at least:
Privacy or Security Breach. Both Parties shall promptly report any actual or potential breach of Data to the other party if that information has been exchanged via the HIE and/or exists in the cloud repository. All affected parties will cooperate to ensure that prompt mitigation measures are taken and timely breach notification is issued as outlined in state (10 L.P.R.A. § 4051) and federal law (45 CFR Part 164.410(c)).
Privacy or Security Breach. 2.11.1 In accordance with applicable law, Contractor agrees to give written notice (an “Incident Notice”) to Covered Entity and RCEB of any (a) use or disclosure of PHI that is not in compliance with the terms of this Agreement, of which it becomes aware (“Breach”) and (b) attempted or actual Security Incident (collectively with a Breach, an “Incident”). An Incident Notice shall be made without unreasonable delay and, in no event, later than twenty four (24) hours after discovery of such Incident, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security as described in 45 C.F.R. § 164.412. In addition, an Incident Notice shall include (to the extent possible) the following information:
Privacy or Security Breach. Business Associate will report to Covered Entity any use or disclosure of Covered Entity’s Protected Health Information not permitted by this Agreement along with any Breach of Covered Entity’s Unsecured Protected Health Information. Business Associate will treat the Breach as being discovered in accordance with 45 CFR §164.410. Business Associate will make the report to the Covered Entity not more than 5 calendar days after Business Associate learns of such non-permitted use or disclosure. If a delay is requested by a law-enforcement official in accordance with 45 CFR §164.412, Business Associate may delay notifying Covered Entity for the applicable time period. Business Associate’s report will at least:
Privacy or Security Breach. 3.1. Business Associate will report to Covered Entity’s Privacy Officer any use or disclosure of Protected Health Information not permitted by this Agreement and any suspected Breach of Unsecured Protected Health Information not more than 30 calendar days after the non-permitted use or disclosure or Breach is discovered. A suspected Breach shall be treated as discovered as of the first day on which such Breach is known or reasonably should have been known by Business Associate. If a delay is requested by a law enforcement official in accordance with 45 CFR §164.412, Business Associate may delay notifying Covered Entity for the applicable period of time. The report shall include:
Privacy or Security Breach. Business Associate will report to Covered Entity any use or disclosure of Covered Entity’s Protected Health Information not permitted by this Agreement or in writing by Covered Entity, along with any Breach as defined by the Privacy Rule (or possible Breach) of Covered Entity’s Unsecured Protected Health Information. In connection with this report to Covered Entity, Business Associate will prepare a written risk assessment for each Breach or possible Breach and shall provide a copy of such risk assessment to Covered Entity. Business Associate will make the report to Covered Entity’s Privacy Official not more than 30 calendar days after Business Associate learns of such non-permitted use or disclosure. If a delay is requested by a law enforcement official in accordance with 45 C.F.R. §164-412, Business Associate may delay notifying Covered Entity as outlined in such regulation. Business Associate’s report will at least:
Privacy or Security Breach. Business Associate will report to Health Plan any use or disclosure of Health Plan’s Protected Health Information not permitted by this Agreement or in writing by Health Plan, along with any Breach, as reasonably determined by Business Associate, of Health Plan’s Unsecured Protected Health Information. In connection with this report to Health Plan, Business Associate will prepare a written risk assessment for each Breach or possible Breach and shall provide a copy of such risk assessment to Health Plan. Business Associate will treat the Breach as being discovered in accordance with HIPAA’s requirements. Business Associate will make the report to Health Plan’s Privacy Official not more than 30 calendar days after Business Associate learns of such non-permitted use or disclosure. If a delay is requested by a law enforcement official in accordance with 45 C.F.R. § 164.412, Business Associate may delay notifying Health Plan for the time period specified by such regulation. Business Associate’s report will at least: Identify the nature of the Breach or other non-permitted use or disclosure, which will include a brief description of what happened, including the date of any Breach and the date of the discovery of any Breach; Identify Health Plan’s Protected Health Information that was subject to the non-permitted use or disclosure or Breach (such as whether full name, social security number, date of birth, home address, account number or other information were involved) on an individual-by-individual basis; Identify who made the non-permitted use or disclosure and who received the non-permitted disclosure; Identify what corrective or investigational action Business Associate took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects and to protect against any further Breaches; Identify what steps the individuals who were subject to a Breach should take to protect themselves; Provide such other information, including a written report, as Health Plan may reasonably request.
Privacy or Security Breach. The PayRight will report to the Client any use or disclosure of the Client’s PHI not permitted by this Agreement along with any Breach of the Client’s Unsecured PHI. The PayRight will treat the Breach as being discovered in accordance with 45 CFR §164.410. The PayRight will make the report to the Client’s Privacy Official not more than fifty (50) calendar days after the PayRight learns of such non-permitted use or disclosure. If a delay is requested by a law-enforcement official in accordance with 45 CFR §164.412, the PayRight may delay notifying the Client for the applicable time period. The PayRight’s report will at least:
Privacy or Security Breach. USI will report to Covered Entity any use or disclosure of Covered Entity’s Protected Health Information not permitted by this Agreement along with any Breach of Covered Entity’s Unsecured Protected Health Information. USI will treat the Breach as being discovered in accordance with 45 CFR §164.410. USI will make the report to the Covered Entity not more than 15 calendar days after USI learns of such non-permitted use or disclosure. If a delay is requested by a law- enforcement official in accordance with 45 CFR §164.412, USI may delay notifying Covered Entity for the applicable time period. USI’s report will at least: