Reporting of Violations. Business Associate agrees to report in writing to Covered Entity, without unreasonable delay, and in no case later than ten (10) calendar days after discovery, the following: (1) any known access, use, or disclosure of PHI that is not authorized by this Agreement; (2) any Security Incident of which the Business Associate becomes aware, and (3) is any Breach of Unsecured PHI of which it becomes aware, without unreasonable delay, and in no case later than ten (10) calendar days after discovery. Business Associate further agrees to notify Covered Entity of any suspected access, use, or disclosure of data in violation of any applicable federal or state laws or regulations without unreasonable delay, and in no case later than thirty (30) calendar days after discovery. In the event of a Breach, Business Associate may delay notifying Covered Entity upon a request from law enforcement. At Covered Entity’s request, Business Associate agrees, to the extent possible, to identify each Individual whose PHI has been or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during the Security Incident and/or Breach; the date and scope of the Security Incident and/or Breach; Business Associate’s response to the Security Incident and/or Breach,; and the identity of the party responsible for causing the Security Incident and/or Breach, if known. Business Associate also agrees to provide Covered Entity with sufficient information to permit Covered Entity to comply with Breach Notification Rule’s requirements or applicable state law requirements. Business Associate shall cooperate reasonably and coordinate with Covered Entity in the investigation of any violation of this Agreement’s requirements and/or any Security Incident or Breach. Business Associate shall cooperate reasonably and coordinate with Covered Entity in the preparation of any reports or notices to the Individual, a regulatory body, or any third party required to be made under HIPAA, the HIPAA Rules, the HITECH Act, or any other federal or state laws, rules, or regulations.
Appears in 1 contract
Samples: Remote Monitoring Services Agreement (Generex Biotechnology Corp)
Reporting of Violations. Business Associate agrees XXXX shall report to report Practice in writing to Covered Entityeach Security Incident or Use or Disclosure that is made by XXXX, without unreasonable delaymembers of its workforce, and in or agents or Subcontractors that is not specifically permitted by the BAA no case later than ten (10) calendar business days after discovery, the following: (1) any known access, use, or disclosure becoming aware of PHI that is not authorized by this Agreement; (2) any such Security Incident of which or non-permitted Use or Disclosure, in accordance with the Business Associate becomes aware, and (3) is any Breach of Unsecured PHI of which it becomes aware, without unreasonable delay, and in no case later than ten (10) calendar days after discoverynotice provisions set forth herein. Business Associate XXXX further agrees to notify Covered Entity Practice of any suspected access, useUse, or disclosure Disclosure of data in violation of any applicable federal or state laws or regulations without unreasonable delay, and in no case later than thirty (30) calendar days after discovery. In the event of a Breach, Business Associate XXXX may delay notifying Covered Entity Practice upon a request from law enforcement. At Covered EntityPractice’s request, Business Associate XXXX agrees, to the extent possible, to identify each Individual whose PHI has been or is reasonably believed by Business Associate XXXX to have been accessed, acquired or disclosed Disclosed during the Security Incident and/or Breach; the date and scope of the Security Incident and/or Breach; Business AssociateOTTO’s response to the Security Incident and/or Breach,; , and the identity of the party responsible for causing the Security Incident and/or Breach, if known. Business Associate XXXX also agrees to provide Covered Entity Practice with sufficient information to permit Covered Entity Practice to comply with Breach Notification Rule’s requirements or applicable state law requirements. Business Associate XXXX shall cooperate reasonably and coordinate with Covered Entity Practice in the investigation of any violation of this Agreementthe BAA’s requirements and/or any Security Incident or Breach. Business Associate XXXX shall cooperate reasonably and coordinate with Covered Entity Practice in the preparation of any reports or notices to the Individual, a regulatory body, or any third party required to be made under HIPAA, the HIPAA Rules, the HITECH Act, or any other federal or state laws, rules, or regulations. If XXXX determines that a reportable Breach of Unsecured PHI has occurred, XXXX shall provide a written report to Practice without unreasonable delay but no later than twenty (20) calendar days after discovery of the Breach. To the extent that information is available to XXXX, OTTO’s written report to Practice shall be in accordance with 45 C.F.R. §164.410(c).
Appears in 1 contract
Samples: Business Associate Agreement
Reporting of Violations. 1. Business Associate shall report to Covered Entity (which shall also include a duplicate copy via email to Xxxxxxx@Xxxxxxx.xxx) within one (1) calendar day of Business Associate’s discovery of:
a. Any use or disclosure of PHI or SUTI not provided for by this Agreement,
b. Any security incident, or
c. Any acquisition, access, use or disclosure of Unsecured PHI or SUTI in a manner not permitted by the Privacy Rule and/or Applicable Law.
2. The events described in paragraph 1 above shall be treated as discovered by Business Associate as of the first day on which such event is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate shall be deemed to have knowledge of any event described in paragraph 1 above if such event is known, or by exercising reasonable diligence would have been known, to any person, other than the person causing the event, who is an employee, officer, or other agent of Business Associate.
3. The parties acknowledge and agree that this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings
4. The reports made to Covered Entity pursuant to paragraph 1 above shall include all relevant facts concerning the event and, with respect to reports of events set forth in paragraph 1.c. above, shall include the identity of each individual whose Unsecured PHI or SUTI has been, or is reasonably believed by the Business Associate to have been, acquired, accessed, used or disclosed. As soon as possible thereafter, and to the extent known, Business Associate shall also provide Covered Entity with a description of:
a. What happened, including the date of the acquisition, access, use or disclosure and the date of it becoming aware to Business Associate;
b. The types of Unsecured PHI or SUTI involved in the acquisition, access, use or disclosure;
c. Any steps an individual should take to protect themselves from the acquisition, access, use or disclosure; and
d. What Business Associate is doing to investigate the acquisition, access use or disclosure, to mitigate harm to individuals and to protect against any further unpermitted acquisition, access, use or disclosure of Unsecured PHI or SUTI.
5. Business Associate will cooperate with Covered Entity’s investigation and/or risk assessment with respect to any report made by Business Associate pursuant to paragraph 1.c. above and will abide by Covered Entity’s decision with respect to whether such acquisition, access, use or disclosure constitutes a breach of Unsecured PHI for purposes of the Unsecured PHI Breach Rule.
6. Business Associate agrees to report follow the instructions of Covered Entity with respect to any event reported to Covered Entity under paragraph 1.c. above that Covered Entity determines to be a breach of Unsecured PHI. Business Associate acknowledges that this may include, but not be limited to, the actions set forth in writing to paragraphs a. through d. below:
a. Providing written notice of the Unsecured PHI breach, on behalf of Covered Entity, without unreasonable delay, and in but no case later than ten (10) calendar days after discovery, the following: (1) any known access, use, or disclosure of PHI that is not authorized by this Agreement; (2) any Security Incident of which the sixty
b. Business Associate becomes awarewill provide written notice of the breach of Unsecured PHI, on behalf of the Covered Entity, to the media to the extent required under 45 CFR § 164.406. Business Associate and the Covered Entity shall cooperate in all respects regarding the drafting and the content of the notice. To that end, before sending any notice to the media, Business Associate shall first provide a draft of the notice to the Covered Entity. Covered Entity shall have five
c. Business Associate will provide written notice of the breach of Unsecured PHI, on behalf of the Covered Entity, to the Secretary to the extent required under 45 CFR § 164.408. Business Associate and Covered Entity shall cooperate in all respects regarding the drafting and the content of the notice. To that end, before sending any notice to the Secretary, Business Associate shall first provide a draft of the notice to the Covered Entity. Covered Entity shall have five business days (3plus any reasonable extensions) is any Breach to provide comments on Business Associate’s draft of the notice.
d. If the breach of Unsecured PHI of which it becomes aware, without unreasonable delay, and in no case later involves fewer than ten (10) calendar days after discovery. Business Associate further agrees to notify Covered Entity of any suspected access, use, or disclosure of data in violation of any applicable federal or state laws or regulations without unreasonable delay, and in no case later than thirty (30) calendar days after discovery. In the event of a Breach, Business Associate may delay notifying Covered Entity upon a request from law enforcement. At Covered Entity’s request, Business Associate agrees, to the extent possible, to identify each Individual whose PHI has been or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during the Security Incident and/or Breach; the date and scope of the Security Incident and/or Breach; Business Associate’s response to the Security Incident and/or Breach,; and the identity of the party responsible for causing the Security Incident and/or Breach, if known. Business Associate also agrees to provide Covered Entity with sufficient information to permit Covered Entity to comply with Breach Notification Rule’s requirements or applicable state law requirements. Business Associate shall cooperate reasonably and coordinate with Covered Entity in the investigation of any violation of this Agreement’s requirements and/or any Security Incident or Breach. Business Associate shall cooperate reasonably and coordinate with Covered Entity in the preparation of any reports or notices to the Individual, a regulatory body, or any third party required to be made under HIPAA, the HIPAA Rules, the HITECH Act, or any other federal or state laws, rules, or regulations.five hundred
Appears in 1 contract
Samples: Broker Agreement
Reporting of Violations. Business Associate agrees XXXX shall report to report Practice in writing to Covered Entityeach Security Incident or Use or Disclosure that is made by XXXX, without unreasonable delaymembers of its workforce, and in or agents or Subcontractors that is not specifically permitted by the BAA no case later than ten (10) calendar business days after discovery, the following: (1) any known access, use, or disclosure becoming aware of PHI that is not authorized by this Agreement; (2) any such Security Incident of which or non- permitted Use or Disclosure, in accordance with the Business Associate becomes aware, and (3) is any Breach of Unsecured PHI of which it becomes aware, without unreasonable delay, and in no case later than ten (10) calendar days after discoverynotice provisions set forth herein. Business Associate XXXX further agrees to notify Covered Entity Practice of any suspected access, useUse, or disclosure Disclosure of data in violation of any applicable federal or state laws or regulations without unreasonable delay, and in no case later than thirty (30) calendar days after discovery. In the event of a Breach, Business Associate XXXX may delay notifying Covered Entity Practice upon a request from law enforcement. At Covered EntityPractice’s request, Business Associate XXXX agrees, to the extent possible, to identify each Individual whose PHI has been or is reasonably believed by Business Associate XXXX to have been accessed, acquired or disclosed Disclosed during the Security Incident and/or Breach; the date and scope of the Security Incident and/or Breach; Business AssociateOTTO’s response to the Security Incident and/or Breach,; , and the identity of the party responsible for causing the Security Incident and/or Breach, if known. Business Associate XXXX also agrees to provide Covered Entity Practice with sufficient information to permit Covered Entity Practice to comply with Breach Notification Rule’s requirements or applicable state law requirements. Business Associate XXXX shall cooperate reasonably and coordinate with Covered Entity Practice in the investigation of any violation of this Agreementthe BAA’s requirements and/or any Security Incident or Breach. Business Associate XXXX shall cooperate reasonably and coordinate with Covered Entity Practice in the preparation of any reports or notices to the Individual, a regulatory body, or any third party required to be made under HIPAA, the HIPAA Rules, the HITECH Act, or any other federal or state laws, rules, or regulations. If XXXX determines that a reportable Breach of Unsecured PHI has occurred, XXXX shall provide a written report to Practice without unreasonable delay but no later than twenty (20) calendar days after discovery of the Breach. To the extent that information is available to XXXX, OTTO’s written report to Practice shall be in accordance with 45 C.F.R. §164.410(c).
Appears in 1 contract
Samples: Business Associate Agreement
Reporting of Violations. 1. Business Associate shall report to Covered Entity (which shall also include a duplicate copy via email to Xxxxxxx@Xxxxxxx.xxx) within one
(1) calendar day of Business Associate’s discovery of:
a. Any use or disclosure of PHI or SUTI not provided for by this Agreement,
b. Any security incident, or
c. Any acquisition, access, use or disclosure of Unsecured PHI or SUTI in a manner not permitted by the Privacy Rule and/or Applicable Law.
2. The events described in paragraph 1 above shall be treated as discovered by Business Associate as of the first day on which such event is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate shall be deemed to have knowledge of any event described in paragraph 1 above if such event is known, or by exercising reasonable diligence would have been known, to any person, other than the person causing the event, who is an employee, officer, or other agent of Business Associate.
3. The parties acknowledge and agree that this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI or SUTI.
4. The reports made to Covered Entity pursuant to paragraph 1 above shall include all relevant facts concerning the event and, with respect to reports of events set forth in paragraph 1.c. above, shall include the identity of each individual whose Unsecured PHI or SUTI has been, or is reasonably believed by the Business Associate to have been, acquired, accessed, used or disclosed. As soon as possible thereafter, and to the extent known, Business Associate shall also provide Covered Entity with a description of:
a. What happened, including the date of the acquisition, access, use or disclosure and the date of it becoming aware to Business Associate;
b. The types of Unsecured PHI or SUTI involved in the acquisition, access, use or disclosure;
c. Any steps an individual should take to protect themselves from the acquisition, access, use or disclosure; and
d. What Business Associate is doing to investigate the acquisition, access use or disclosure, to mitigate harm to individuals and to protect against any further unpermitted acquisition, access, use or disclosure of Unsecured PHI or SUTI.
5. Business Associate will cooperate with Covered Entity’s investigation and/or risk assessment with respect to any report made by Business Associate pursuant to paragraph 1.c. above and will abide by Covered Entity’s decision with respect to whether such acquisition, access, use or disclosure constitutes a breach of Unsecured PHI for purposes of the Unsecured PHI Breach Rule.
6. Business Associate agrees to report follow the instructions of Covered Entity with respect to any event reported to Covered Entity under paragraph 1.c. above that Covered Entity determines to be a breach of Unsecured PHI. Business Associate acknowledges that this may include, but not be limited to, the actions set forth in writing to paragraphs a. through d. below:
a. Providing written notice of the Unsecured PHI breach, on behalf of Covered Entity, without unreasonable delay, and in but no case later than ten sixty (1060) calendar days after discoveryfollowing the date the breach is discovered or such later date as is authorized under 45 CFR § 164.412, the following: (1) any known access, use, or disclosure of PHI that is not authorized by this Agreement; (2) any Security Incident of which the Business Associate becomes aware, and (3) is any Breach of to each individual whose Unsecured PHI of which it becomes awarehas been, without unreasonable delay, and in no case later than ten (10) calendar days after discovery. Business Associate further agrees to notify Covered Entity of any suspected access, use, or disclosure of data in violation of any applicable federal or state laws or regulations without unreasonable delay, and in no case later than thirty (30) calendar days after discovery. In the event of a Breach, Business Associate may delay notifying Covered Entity upon a request from law enforcement. At Covered Entity’s request, Business Associate agrees, to the extent possible, to identify each Individual whose PHI has been or is reasonably believed by Business Associate to have been been, accessed, acquired used, or disclosed during the Security Incident and/or Breach; the date and scope as a result of the Security Incident and/or HIPAA Breach; Business Associate’s response to the Security Incident and/or Breach,; . The content, form, and the identity delivery of the party responsible for causing the Security Incident and/or Breach, if knownsuch written notice shall comply in all respects with 45 CFR § 164.404(c)-(d). Business Associate also agrees to provide and Covered Entity with sufficient information shall cooperate in all respects regarding the drafting and the content of the notice. To that end, before sending any notice to permit Covered Entity to comply with Breach Notification Rule’s requirements or applicable state law requirements. any individual, the Business Associate shall cooperate reasonably and coordinate with first provide a draft of the notice to the Covered Entity. Covered Entity in the investigation of any violation of this Agreement’s requirements and/or any Security Incident or Breach. Business Associate shall cooperate reasonably and coordinate with Covered Entity in the preparation of any reports or notices to the Individual, a regulatory body, or any third party required to be made under HIPAA, the HIPAA Rules, the HITECH Act, or any other federal or state laws, rules, or regulations.have five
Appears in 1 contract
Samples: Broker Agreement