Common use of Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures Clause in Contracts

Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures. If Business Associate has knowledge of any use or disclosure of PHI not provided for by this Agreement or of any Incident, including breaches of unsecured PHI, then Business Associate will immediately notify Covered Entity in accordance with 45 CFR 164.410. Business Associate will follow the following breach notification requirements: a. Business Associate shall immediately notify Covered Entity of suspicion of a breach or of a known potential breach. If Business Associate discovers a breach of Unsecured PHI, including breach as defined in Florida Statutes § 501.171, Business Associate shall notify Covered Entity as soon as practicable and in no case later than within 10 calendar days after discovery. For this purpose, discovery means the first day on which the breach is known to Business Associate or by exercising reasonable diligence would have been known to Business Associate. Business Associate shall be deemed to have knowledge of a breach if the breach is known or by exercising reasonable diligence would have been known to any person, other than the person committing the breach, who is an employee, officer, subcontractor or other agent of Business Associate. The notification must include identification of each individual whose Unsecured PHI has been or is reasonably believed to have been accessed, acquired, used or disclosed during the breach and any other available information in Business Associate's possession which Covered Entity is required to include in the individual notice contemplated by 45 CFR § 164.404. b. Upon notification by Business Associate to Covered Entity of a breach of Unsecured PHI, the Business Associate shall assist Covered Entity in complying with the notification obligations as set forth under the HIPAA Rule, Florida law, and regulations as amended. c. Business Associate shall maintain a log of breaches of Unsecured PHI with respect to Covered Entity and shall submit the log to Covered Entity within 30 calendar days following the end of each calendar year so that Covered Entity may report breaches to the Secretary in accordance with 45 CFR § 164.408.