Reporting Violations; Breach Notification Clause Samples

Reporting Violations; Breach Notification. Subcontractor shall report to Business Associate in writing any use or disclosure of PHI not provided for by this Agreement or the Privacy Rule of which it becomes aware, including Breaches of Unsecured PHI, as required by 45 C.F.R. § 164.410, and any Security Incidents, without unreasonable delay and in no case later than 30 calendar days after the discovery of any such use, disclosure, Breach, or Security Incident. Upon discovery of a Breach, Subcontractor will undertake a documented risk assessment in accordance with the Breach Response Rule to determine whether the acquisition, access, use or disclosure of the PHI at issue is likely to compromise the affected PHI. Subcontractor shall make this determination in coordination and consultation with Business Associate. Subcontractor shall make and retain records of such determinations, including the basis for any determination that an unauthorized use or disclosure of PHI is not a Breach that requires notification of affected individuals, regulators and others, and shall provide the documents supporting such determination to Business Associate if requested. Subcontractor’s determination that the Breach is likely to result in low probability of compromise of the affected PHI is subject to review and approval by Business Associate. If Business Associate disagrees with Subcontractor’s determination of low probability of compromise, Subcontractor shall comply with Business Associate’s determination and comply with the requirements of this Agreement consistent with such determination.