Common use of Privacy or Security Breach Clause in Contracts

Privacy or Security Breach. The Business Associate will report to the Covered Entity any use or disclosure of the Covered Entity’s Protected Health Information not permitted by this Agreement along with any Breach of the Covered Entity’s Unsecured Protected Health Information. The Business Associate will treat the Breach as being discovered in accordance with 45 CFR §164.410. The Business Associate will make the report to the Covered Entity’s Privacy Official not more than fifty (50) calendar days after the Business Associate learns of such non-permitted use or disclosure. If a delay is requested by a law-enforcement official in accordance with 45 CFR §164.412, the Business Associate may delay notifying the Covered Entity for the applicable time period. The Business Associate’s report will at least: (A) Identify the nature of the Breach or other non-permitted use or disclosure, which will include a brief description of what happened, including the date of any Breach and the date of the discovery of the Breach; (B) Identify the Covered Entity’s Protected Health Information that was subject to the non-permitted use or disclosure or Breach (such as whether full name, social security number, date of birth, home address, account number or other information were involved) on an individual basis; (C) Identify who made the non-permitted use or disclosure and who received the non-permitted use or disclosure; (D) Identify what corrective or investigational action the Business Associate took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects and to protect against any further Breaches; (E) Identify what steps the individuals who were subject to a Breach should take to protect themselves; and (F) Provide such other information, including a written report, as the Covered Entity may reasonably request.

Privacy or Security Breach. The Business Associate will report to the Covered Entity any use or disclosure of the Covered Entity’s Protected Health Information not permitted by this Agreement along with any Breach of the Covered Entity’s which it becomes aware, including breaches of Unsecured Protected Health Information. The Business Associate will treat the Breach Information as being discovered in accordance with required by 45 CFR §164.410164.40, and any Security Incident of which it becomes aware. The Business Associate will make the report to the Covered Entity’s Privacy Official not more than fifty (50) calendar days after the Business Associate learns becomes aware of such non-permitted use or disclosure. If a delay is requested by a law-enforcement official in accordance with 45 CFR §164.412, the Business Associate may delay notifying the Covered Entity for the applicable time period. The Business Associate’s report will at least: (A) Identify the nature of the Breach or other non-permitted use or disclosure, which will include a brief description of what happened, including the date of any Breach and the date of the discovery of the Breach; (B) Identify the Covered Entity’s Protected Health Information that was subject to the non-permitted use or disclosure or Breach (such as whether full name, social security number, date of birth, home address, account number or other information were involved) on an individual basis; (C) Identify who made the non-permitted use or disclosure and who received the non-permitted use or disclosure; (D) Identify what corrective or investigational action the Business Associate took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects and to protect against any further Breaches; (E) Identify what steps the individuals who were subject to a Breach should take to protect themselves; and (F) Provide such other information, including a written reportreport and risk assessment under 45 CFR §164.402, as the Covered Entity may reasonably request.

Privacy or Security Breach. The Business Associate will report to the Covered Entity any use or disclosure of the Covered Entity’s Protected Health Information not permitted by this Agreement along with any Breach Addendum of the Covered Entity’s which it becomes aware, including breaches of Unsecured Protected Health Information. The Business Associate will treat the Breach Information as being discovered in accordance with required by 45 CFR §164.410164.40, and any Security Incident of which it becomes aware. The Business Associate will make the report to the Covered Entity’s Privacy Official not more than fifty fifteen (5015) calendar days after the Business Associate learns becomes aware of such non-permitted use or disclosure. If a delay is requested by a law-enforcement official in accordance with 45 CFR §164.412, the Business Associate may delay notifying the Covered Entity for the applicable time period. The Business Associate’s report will at least: (A) Identify the nature of the Breach or other non-permitted use or disclosure, which will include a brief description of what happened, including the date of any Breach and the date of the discovery of the Breach; (B) Identify the Covered Entity’s Protected Health Information that was subject to the non-permitted use or disclosure or Breach (such as whether full name, social security number, date of birth, home address, account number or other information were involved) on an individual basis; (C) Identify who made the non-permitted use or disclosure and who received the non-non- permitted use or disclosure; (D) Identify what corrective or investigational action the Business Associate took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects and to protect against any further Breaches; (E) Identify what steps the individuals who were subject to a Breach should take to protect themselves; and (F) Provide such other information, including a written reportreport and risk assessment under 45 CFR §164.402, as the Covered Entity may reasonably request.

Privacy or Security Breach. The Business Associate will report to the Covered Entity any use or disclosure of the Covered Entity’s Protected Health Information not permitted by this Agreement along with any Breach of the Covered Entity’s Unsecured Protected Health InformationInformation within five (5) calendar days of discovering the breach. The Business Associate will treat the Breach as being discovered in accordance with 45 CFR §164.410. The Business Associate will promptly make the report to the Covered Entity’s Privacy Official not more than fifty (50) calendar days Official, and to the applicable authorities on behalf of the Covered Entity, after the Business Associate learns of such non-permitted use or disclosuredisclosure in a manner and time frame consistent with requirements specified in the HIPAA Privacy Regulations. If a delay is requested by a law-enforcement official in accordance with 45 CFR §164.412, the Business Associate may delay notifying the Covered Entity for the applicable time period. The Business Associate’s report will at least: (A) Identify the nature of the Breach or other non-permitted use or disclosure, which will include a brief description of what happened, including the date of any Breach and the date of the discovery of the any Breach; (B) Identify the Covered Entity’s Protected Health Information that was subject to the non-permitted use or disclosure or Breach (such as whether full name, social security number, date of birth, home address, account number or other information were involved) on an individual basis; (C) Identify who made the non-permitted use or disclosure and who received the non-permitted use or disclosure; (D) Identify what corrective or investigational action the Business Associate took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects and to protect against any further Breaches; (E) Identify what steps the individuals who were subject to a Breach should take to protect themselves; and; (F) Provide such other information, including a written report, as the Covered Entity may reasonably request.

Privacy or Security Breach. The Business Associate will report to the Covered Entity any use or disclosure of the Covered Entity’s Protected Health Information not permitted by this Agreement BA Contract along with any Breach of the Covered Entity’s Unsecured Protected Health Information. The Business Associate will treat the Breach as being discovered in accordance with 45 CFR §§ 164.410. The Business Associate will make the report to the Covered Entityentity’s Privacy Official not more than fifty (50) or other corporate contract within 60 calendar days after the Business Associate learns of such non-permitted use or disclosure. If a delay is requested by a law-enforcement official in accordance with 45 CFR §§ 164.412, the Business Associate may delay notifying the Covered Entity for the applicable time period. The Business Associate’s report will at least: (Aa) Identify the nature of the Breach breach or other non-permitted use or disclosure, which will include a brief description of what happened, including the date of any Breach and the date of the discovery of the any Breach; (Bb) Identify the Covered Entity’s Protected Health Information that was subject to the non-non- permitted use or disclosure or Breach (such as whether full name, social security number, date of birth, home address, account number or other information were involved) on an individual basis; (Cc) Identify who made the non-permitted use or disclosure and who received the non-non- permitted use or disclosure; (Dd) Identify what corrective or investigational action the Business Associate took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects and to protect against any further Breaches; (Ee) Identify what steps the individuals who were subject to a Breach should take to protect themselves; and; (Ff) Provide such other information, including a written report, as the Covered Entity may reasonably request.

Privacy or Security Breach. The Business Associate will report to the Covered Entity any use or disclosure of the Covered Entity’s Protected Health Information not permitted by this Agreement along with any Breach of the Covered Entity’s Unsecured Protected Health Information. The Business Associate will treat the Breach as being discovered in accordance with 45 CFR §164.410. The Business Associate will make the report to the Covered Entity’s Privacy Official Entity not more than fifty (50) 5 calendar days after the Business Associate learns of such non-permitted use or disclosure. If a delay is requested by a law-enforcement official in accordance with 45 CFR §164.412, the Business Associate may delay notifying the Covered Entity for the applicable time period. The Business Associate’s report will at least: (A) a. Identify the nature of the Breach or other non-permitted use or disclosure, which will include a brief description of what happened, including the date of any Breach and the date of the discovery of the any Breach; (B) b. Identify the Covered Entity’s Protected Health Information that was subject to the non-permitted use or disclosure or Breach (such as whether full name, social security number, date of birth, home address, account number or other information were involved) on an individual basis; (C) c. Identify who made the non-permitted use or disclosure and who received the non-non- permitted use or disclosure; (D) d. Identify what corrective or investigational action the Business Associate took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects and to protect against any further Breaches; (E) e. Identify what steps the individuals Individuals who were subject to a Breach should take to protect themselves; and; (F) f. Provide such other information, including a written report, as the Covered Entity may reasonably request.

Privacy or Security Breach. The Business Associate will report to the Covered Entity any use or disclosure of the Covered Entity’s Protected Health Information not permitted by this Agreement along with any Breach of the Covered Entity’s Unsecured Protected Health Information. The Business Associate will treat the Breach as being discovered in accordance with 45 CFR §164.410. The Business Associate will make the report to the Covered Entity’s Privacy Official Entity not more than fifty (50) 5 calendar days after the Business Associate learns of such non-permitted use or disclosure. If a delay is requested by a law-enforcement official in accordance with 45 CFR §164.412, the Business Associate may delay notifying the Covered Entity for the applicable time period. The Business Associate’s report will at least: (A) a. Identify the nature of the Breach or other non-permitted use or disclosure, which will include a brief description of what happened, including the date of any Breach and the date of the discovery of the any Breach; (B) b. Identify the Covered Entity’s Protected Health Information that was subject to the non-permitted use or disclosure or Breach (such as whether full name, social security number, date of birth, home address, account number or other information were involved) on an individual basis; (C) c. Identify who made the non-permitted use or disclosure and who received the non-non- permitted use or disclosure; (D) d. Identify what corrective or investigational action the Business Associate took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects and to protect against any further Breaches; (E) e. Identify what steps the individuals Individuals who were subject to a Breach should take to protect themselves; and; (F) f. Provide such other information, including a written report, as the Covered Entity may reasonably request.

Privacy or Security Breach. The Business Associate will immediately report to the Covered Entity any use or disclosure of the Covered Entity’s Protected Health Information not permitted for by this Agreement along with of which it becomes aware of; and any Breach Security Incident of the Covered Entity’s Unsecured Protected Health Informationwhich it becomes aware of. The Business Associate will treat the Breach as being discovered in accordance with 45 CFR §164.410. The Business Associate will make A Breach is considered discovered on the report to the Covered Entity’s Privacy Official not more than fifty (50) calendar days after first day the Business Associate learns knows or should have known about it by exercising reasonable diligence. Business Associate agrees to notify the Covered Entity of any individual whose Protected Health Information has been Breached. Business Associate agrees that such non-permitted use or disclosurenotification will meet the requirements of 45 CFR 164.410. If a delay is requested by a law-law- enforcement official in accordance with 45 CFR §164.412, the Business Associate may delay notifying the Covered Entity for the applicable time period. The Business Associate’s report will at least: (A) i. Identify the nature of the Breach breach or other non-permitted use or disclosure, which will include a brief description of what happened, including the date of any Breach and the date of the discovery of the any Breach, no later than 24 hours after a Breach is discovered; (B) ii. Identify the Covered Entity’s Protected Health Information that was subject to the non-permitted use or disclosure or Breach (such as whether full name, social security number, date of birth, home address, account number or of other information were involved) on an individual basis; (C) iii. Identify who made the non-permitted use or disclosure and who received the non-permitted use or disclosure; (D) iv. Identify what corrective or investigational action the Business Associate took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects and to protect against any further Breaches; (E) v. Identify what steps the individuals who were subject to a Breach should take to protect themselves; and; (F) vi. Provide such other information, including a written report, as the Covered Entity may reasonably request.

Privacy or Security Breach. The Business Associate will report to the Covered Entity any use or disclosure of the Covered Entity’s Protected Health Information not permitted by this Agreement along with any Breach BAA of the Covered Entity’s which it becomes aware, including breaches of Unsecured Protected Health Information. The Business Associate will treat the Breach Information as being discovered in accordance with required by 45 CFR §164.410164.40, and any Security Incident of which it becomes aware. The Business Associate will make the report to the Covered Entity’s Privacy Official not more than fifty twenty-five (5025) calendar days after the Business Associate learns becomes aware of such non-permitted use or disclosure. If a delay is requested by a law-enforcement official in accordance with 45 CFR §164.412, the Business Associate may delay notifying the Covered Entity for the applicable time period. The Business Associate’s report will at least: (A) Identify the nature of the Breach or other non-permitted use or disclosure, which will include a brief description of what happened, including the date of any Breach and the date of the discovery of the Breach; (B) Identify the Covered Entity’s Protected Health Information that was subject to the non-permitted use or disclosure or Breach (such as whether full name, social security number, date of birth, home address, account number or other information were involved) on an individual basis; (C) Identify who made the non-permitted use or disclosure and who received the non-permitted use or disclosure; (D) Identify what corrective or investigational action the Business Associate took or will take to prevent further non-permitted nonpermitted uses or disclosures, to mitigate harmful effects and to protect against any further Breaches; (E) Identify what steps the individuals who were subject to a Breach should take to protect themselves; and (F) Provide such other information, including a written reportreport and risk assessment under 45 CFR §164.402, as the Covered Entity may reasonably request.

Privacy or Security Breach. The Business Associate will report to the Covered Entity any use or disclosure of the Covered Entity’s Protected Health Information not permitted by this Agreement along with any Breach of the Covered Entity’s which it becomes aware, including breaches of Unsecured Protected Health Information. The Business Associate will treat the Breach Information as being discovered in accordance with required by 45 CFR §164.410164.40, and any Security Incident of which it becomes aware. The Business Associate will make the report to the Covered Entity’s Privacy Official not more than fifty thirty (5030) calendar days after the Business Associate learns becomes aware of such non-permitted use or disclosure. If a delay is requested by a law-enforcement official in accordance with 45 CFR §164.412, the Business Associate may delay notifying the Covered Entity for the applicable time period. The Business Associate’s report will at least: (A) Identify the nature of the Breach or other non-permitted use or disclosure, which will include a brief description of what happened, including the date of any Breach and the date of the discovery of the Breach; (B) Identify the Covered Entity’s Protected Health Information that was subject to the non-non- permitted use or disclosure or Breach (such as whether full name, social security number, date of birth, home address, account number or other information were involved) on an individual basis; (C) Identify who made the non-permitted use or disclosure and who received the non-non- permitted use or disclosure; (D) Identify what corrective or investigational action the Business Associate took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects and to protect against any further Breaches; (E) Identify what steps the individuals who were subject to a Breach should take to protect themselves; and (F) Provide such other information, including a written reportreport and risk assessment under 45 CFR §164.402, as the Covered Entity may reasonably request.

Privacy or Security Breach. The Business Associate will report to the Covered Entity any use Entity’s Privacy Officer or disclosure of the Covered Entity’s Protected Health contract manager within 2 business days after the discovery, any unauthorized access, use, disclosure of Covered Entity’s protected health Information not permitted by this the Business Associates Agreement along with any Breach breach of the Covered Entity’s Unsecured Protected Health Informationunsecured protected health information. The Business Associate will treat the Breach breach as being discovered in accordance with 45 CFR §164.410. The Business Associate will make the report to the Covered Entity’s Privacy Official not more than fifty (50) calendar days after the Business Associate learns of such non-permitted use or disclosure. If a delay is requested by a law-law enforcement official in accordance with 45 CFR §164.412, the Business Associate may delay notifying the Covered Entity for the applicable time period. The Business Associate’s Associates report will at leasta minimum: (Aa) Identify the nature of the Breach breach or other non-permitted use or disclosure, which will include a brief description of what happened, including the date of any Breach breach and the date of the discovery of the Breachbreach; (Bb) Identify the Covered Entity’s Protected Health Information that was subject to the non-non- permitted use or disclosure or Breach breach (such as whether full name, social security number, date of birth, home address, account number or other information were involvedwas disclosed/accessed) on an individual basis; (Cc) Identify who made the non-permitted use or disclosure and who received the non-permitted use or disclosureit; (Dd) Identify what corrective action or investigational action the mitigation Business Associate took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects and to protect against any further Breachesbreaches; (Ee) Identify what steps the individuals who were subject to a Breach breach should take to protect themselves; and; (Ff) Provide such other information, including a written report, as the Covered Entity may reasonably request.

Privacy or Security Breach. The Business Associate will report to the Covered Entity any use or disclosure of the Covered Entity’s Protected Health Information not permitted by this Agreement along with any Breach Addendum of the Covered Entity’s which it becomes aware, including breaches of Unsecured Protected Health Information. The Business Associate will treat the Breach Information as being discovered in accordance with required by 45 CFR §164.410164.40, and any Security Incident of which it becomes aware. The Business Associate will make the report to the Covered Entity’s Privacy Official not more than fifty fifteen (5015) calendar days after the Business Associate learns becomes aware of such non-permitted use or disclosure. If a delay is requested by a law-enforcement official in accordance with 45 CFR §164.412, the Business Associate may delay notifying the Covered Entity for the applicable time period. The Business Associate’s report will at least: (A) 1. Identify the nature of the Breach or other non-permitted use or disclosure, which will include a brief description of what happened, including the date of any Breach and the date of the discovery of the Breach; (B) 2. Identify the Covered Entity’s Protected Health Information that was subject to the non-permitted use or disclosure or Breach (such as whether full name, social security number, date of birth, home address, account number or other information were involved) on an individual basis; (C) 3. Identify who made the non-permitted use or disclosure and who received the non-permitted use or disclosure; (D) 4. Identify what corrective or investigational action the Business Associate took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects and to protect against any further Breaches; (E) 5. Identify what steps the individuals who were subject to a Breach should take to protect themselves; and (F) 6. Provide such other information, including a written reportreport and risk assessment under 45 CFR §164.402, as the Covered Entity may reasonably request.

Privacy or Security Breach. The Business Associate USI will report to the Covered Entity any use or disclosure of the Covered Entity’s Protected Health Information not permitted by this Agreement along with any Breach of the Covered Entity’s Unsecured Protected Health Information. The Business Associate USI will treat the Breach as being discovered in accordance with 45 CFR §164.410. The Business Associate USI will make the report to the Covered Entity’s Privacy Official Entity not more than fifty (50) 15 calendar days after the Business Associate USI learns of such non-permitted use or disclosure. If a delay is requested by a law-law- enforcement official in accordance with 45 CFR §164.412, the Business Associate USI may delay notifying the Covered Entity for the applicable time period. The Business AssociateUSI’s report will at least: (A) a. Identify the nature of the Breach or other non-permitted use or disclosure, which will include a brief description of what happened, including the date of any Breach and the date of the discovery of the any Breach; (B) b. Identify the Covered Entity’s Protected Health Information that was subject to the non-permitted use or disclosure or Breach (such as whether full name, social security number, date of birth, home address, account number or other information were involved) on an individual basis; (C) c. Identify who made the non-permitted use or disclosure and who received the non-permitted use or disclosure; (D) d. Identify what corrective or investigational action the Business Associate USI took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects and to protect against any further Breaches; (E) e. Identify what steps the individuals Individuals who were subject to a Breach should take to protect themselves; and; (F) f. Provide such other information, including a written report, as the Covered Entity may reasonably request.

Privacy or Security Breach. The 3.1. Business Associate will report to the Covered Entity Entity’s Privacy Officer any use or disclosure of the Covered Entity’s Protected Health Information not permitted by this Agreement along with and any suspected Breach of the Covered Entity’s Unsecured Protected Health Information. The Business Associate will treat the Breach as being discovered in accordance with 45 CFR §164.410. The Business Associate will make the report to the Covered Entity’s Privacy Official Information not more than fifty (50) 30 calendar days after the Business Associate learns of such non-permitted use or disclosuredisclosure or Breach is discovered. A suspected Breach shall be treated as discovered as of the first day on which such Breach is known or reasonably should have been known by Business Associate. If a delay is requested by a law-law enforcement official in accordance with 45 CFR §164.412, the Business Associate may delay notifying the Covered Entity for the applicable time periodperiod of time. The Business Associate’s report will at leastshall include: (A) Identify the 3.1.1. The nature of the Breach or other non-permitted use or disclosure, which will include including a brief description of what happened, including the date of any the non-permitted use or disclosure or Breach and the date of the discovery discovery; 3.1.2. A description of the Breach; (B) Identify the Covered Entity’s Protected Health Information Unsecured PHI that was subject to the non-permitted use or disclosure or Breach (such as whether full name, social security number, date of birth, home address, account number or other information were involved) on an individual basis; (C) Identify 3.1.3. The identity of the person who made the non-permitted use or disclosure and who received the non-non- permitted use or disclosuredisclosure (if known); (D) Identify what 3.1.4. The corrective or investigational investigative action the Business Associate took or will take to prevent further non-non- permitted uses or disclosures, to mitigate harmful effects effects, and to protect against any further future Breaches; (E) Identify what 3.1.5. Any details necessary for Covered Entity to assess the risk of harm to Individuals whose PHI and the steps the individuals who were subject to a Breach such Individuals should take to protect themselves; and (F) Provide such 3.1.6. Such other information, including a written report, as the Covered Entity may reasonably request. 3.2. Covered Entity, at its sole discretion, shall make the determination as to whether or not the non- permitted use or disclosure constitutes a Breach as that term is defined in 45 CFR §164.402 and will be responsible for providing notification to Individuals whose Unsecured PHI has been disclosed, as well as the Secretary of HHS and the media, as required by the HITECH Act. If Covered Entity determines the non-permitted use or disclosure qualifies as a Breach that triggers the HITECH Act breach notification requirements, then Business Associate will reimburse Covered Entity for all costs related to notifying Individuals of the Breach of Unsecured Protected Health Information maintained or otherwise held by Business Associate as well as any costs to mitigate the effects of the Breach. 3.3. Business Associate will report to Covered Entity any attempted or successful unauthorized access, use, disclosure, modification or destruction of Electronic Protected Health Information or interference with Business Associate’s systems operations in Business Associate’s information systems, of which Business Associate becomes aware. Business Associate shall make such reports annually except if such Security Incident results in a disclosure not permitted by this Agreement or Breach of Unsecured Protected Health Information, Business Associate will make a report as required by Section 3.1 of this Agreement.

Privacy or Security Breach. The Business Associate PayRight will report to the Covered Entity Client any use or disclosure of the Covered EntityClient’s Protected Health Information PHI not permitted by this Agreement along with any Breach of the Covered EntityClient’s Unsecured Protected Health InformationPHI. The Business Associate PayRight will treat the Breach as being discovered in accordance with 45 CFR §164.410. The Business Associate PayRight will make the report to the Covered EntityClient’s Privacy Official not more than fifty (50) calendar days after the Business Associate PayRight learns of such non-permitted use or disclosure. If a delay is requested by a law-enforcement official in accordance with 45 CFR §164.412, the Business Associate PayRight may delay notifying the Covered Entity Client for the applicable time period. The Business AssociatePayRight’s report will at least: (A) Identify the nature of the Breach or other non-permitted use or disclosure, which will include a brief description of what happened, including the date of any Breach and the date of the discovery of the Breach; (B) Identify the Covered EntityClient’s Protected Health Information PHI that was subject to the non-permitted use or disclosure or Breach (such as whether full name, social security number, date of birth, home address, account number or other information were involved) on an individual basis; (C) Identify who made the non-permitted use or disclosure and who received the non-permitted use or disclosure; (D) Identify what corrective or investigational action the Business Associate PayRight took or will take to prevent further non-non- permitted uses or disclosures, to mitigate harmful effects and to protect against any further Breaches; (E) Identify what steps the individuals who were subject to a Breach should take to protect themselves; and, (F) Provide such other information, including a written report, as the Covered Entity Client may reasonably request.