Common use of State Confidentiality Laws and Regulations Clause in Contracts

State Confidentiality Laws and Regulations. 7.1 Business Associate agrees to comply with all applicable state laws and regulations governing the confi- dentiality of information provided by NYC Health + Hospitals including, but not limited to, New York Public Health Law §§ 18 (Access to Patient Information) & 2780 et seq. (Confidential HIV Related Information); New York Mental Hygiene Law §§ 22.05 (Patient Chemical Dependence Services Records) & 33.13 (Confidentiality of Clinical Records); New York Civil Rights Law § 79-l (Confidentiality of Genetic Test Records); and New York General Business Law §§ 399-ddd (Confidentiality of Social Security Account Number), 399-h (Disposal of Records Containing Personal Identifying Information), & 899-aa (New York Breach Notification Statute). 7.2 Pursuant to New York General Business Law § 899-aa(2)&(3) and in conformity with this BAA, Business Associate shall, within ten (10) business days of discovery thereof, notify NYC Health + Hospitals in writing of any “breach of the security of the system,” as defined in New York General Business Law § 899-aa(1)(c), that involves PHI containing individuals’ “private information,” as defined in New York General Business Law § 899-aa(1)(b), that was, or was reasonably believed to be, acquired from Business Associate by a person without valid authorization. 7.3 Notwithstanding any other provision of this BAA, Business Associate shall bear all costs related to its breach of private information under New York General Business Law § 899-aa, including any and all applicable damages or losses identified in New York General Business Law § 899aa(6). In the event such breach has occurred, Business Associate shall reimburse NYC Health + Hospitals for all costs incurred by NYC Health + Hospitals directly related to providing the notice required by New York General Business Law § 899-aa(5), including if applicable, but not limited to: written notice, electronic notice, telephone notification, substitute notice, and notification to major statewide media. 7.4 In the event Business Associate chooses to destroy the PHI in its possession in compliance with this BAA, and said PHI contains “personal identifying information” as defined in New York General Business Law § 399-h(1)(d), Business Associate shall dispose of such information in conformity with New York General Business Law § 399-h(2).