Common use of Unsecured Protected Health Information Clause in Contracts

Unsecured Protected Health Information. For all Unsecured PHI maintained or transmitted by BA or BA’s subcontractors, BA shall notify each Individual whose Unsecured PHI has been Accessed, acquired, Used, or Disclosed in a manner not permitted under the HIPAA Privacy Rule which compromises the security and privacy of the PHI, except when law enforcement requires a delay pursuant to 45 CFR § 164.412. If BA cannot identify the specific Individuals whose Unsecured PHI may have been Accessed, BA shall notify all persons whose Unsecured PHI reasonably may have been Accessed. On behalf of FHKC, BA shall notify such Individuals without unreasonable delay, and in no case later than sixty (60) days after discovery of the Breach. The Notice required under HIPAA shall be made as follows: By written Notice in plain language including, to the extent possible: A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; A description of the types of Unsecured PHI involved in the Breach (including but not limited to items such as whether full name, social security number, date of birth, home address, Family Account number, diagnosis, disability code, or other types of information were involved); Any steps Individuals should take to protect themselves from potential harm resulting from the Breach; A brief description of what BA and FHKC are doing to investigate the Breach, to mitigate the harm to Individuals, and to protect against further Breaches; and Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, website or postal address. BA must use a method of notification that meets the requirements of 45 CFR 164.404(d). Further, BA must provide Notice to the media when required under 45 CFR 164.406 and to HHS pursuant to 45 CFR 164.408. BA also agrees to comply with any similar state laws, such as section 501.171, Florida Statutes, that govern breaches. BA agrees to pay all costs of notification and any associated mitigation as a result of a Breach or breach of state law, including the provision of, at a minimum, two years of credit monitoring and identity theft protection for such affected Individuals. FHKC, in its sole discretion, shall determine if the Breach or breach of state law is significant enough to warrant such measures and the length of time such mitigation measures shall be offered to the affected Individuals. In the event of the unpermitted Access, acquisition, Use, or Disclosure of Unsecured PHI, BA shall pay for and maintain a prompt mechanism on the existing toll-free telephone line, email link, and fully functioning web page to respond to any Enrollee’s or Applicant’s concerns about security, Breach, unauthorized Access, acquisition, Use, or Disclosure, or any credible allegations or suspicions of the above.

Unsecured Protected Health Information. For all Unsecured PHI maintained or transmitted by BA or BA’s subcontractorsSubcontractors, BA shall notify each Individual whose Unsecured PHI has been Accessed, acquired, Used, or Disclosed in a manner not permitted under the HIPAA Privacy Rule which compromises the security and privacy of the PHI, except when law enforcement requires a delay pursuant to 45 CFR § §164.412. If BA cannot identify the specific Individuals whose Unsecured PHI may have been Accessed, BA shall notify all persons whose Unsecured PHI reasonably may have been Accessed. On behalf of FHKC, BA shall notify such Individuals without unreasonable delay, and in no case later than sixty (60) days after discovery of the Breach. However, where applicable state law, such as section 501.171, Florida Statutes, requires notification to be sent within a shorter time period, BA agrees to comply with such state laws in notifying the affected Individuals. The Notice required under HIPAA notice shall be made as follows: By written Notice notice in plain language including, to the extent possible: A brief description of what happened, including the date of the Breach breach and the date of the discovery of the Breachbreach, if known; A description of the types of Unsecured PHI involved in the Breach breach (including but not limited to items such as whether full name, social security number, date of birth, home address, Family Account account number, diagnosis, disability code, or other types of information were involved); Any steps Individuals should take to protect themselves from potential harm resulting from the Breachbreach; A brief description of what BA and FHKC are doing to investigate the Breachbreach, to mitigate the harm to Individuals, and to protect against further Breachesbreaches; and Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, website or postal address. BA must use a method of notification that meets the requirements of 45 CFR §164.404(d). FurtherOn behalf of FHKC, BA must provide Notice notice to the media when such notice is required under 45 CFR 164.406 §164.406, and to HHS pursuant to when such notice is required under 45 CFR §164.408. BA also agrees to comply with any similar state laws, such as section 501.171, Florida Statutes, that govern breaches. BA agrees to pay all costs of notification and any associated mitigation as a result of a Breach or breach of state lawBreach, including the provision of, at a minimum, two years of credit monitoring and identity theft protection for such affected Individuals. FHKC, in its sole discretion, shall determine if the Breach or breach of state law is significant enough to warrant such measures and the length of time such mitigation measures shall be offered to the affected Individuals. In the event of the unpermitted Access, acquisition, Use, or Disclosure of Unsecured PHI, BA shall pay for and maintain a prompt mechanism on the existing toll-free telephone line, email link, and fully functioning web page to respond to any Enrollee’s or Applicant’s concerns about security, Breach, unauthorized Access, acquisition, Use, or Disclosure, or any credible allegations or suspicions of the above.

Unsecured Protected Health Information. For all Unsecured PHI maintained or transmitted by BA [VENDOR] or BA[VENDOR]’s subcontractors, BA [VENDOR] shall notify each Individual whose Unsecured PHI has been Accessed, acquired, Used, or Disclosed in a manner not permitted under the HIPAA Privacy Rule which compromises the security and privacy of the PHI, except when law enforcement requires a delay pursuant to 45 CFR § 164.412. If BA [VENDOR] cannot identify the specific Individuals whose Unsecured PHI may have been Accessed, BA [VENDOR] shall notify all persons whose Unsecured PHI reasonably may have been Accessed. On behalf of FHKC, BA [VENDOR] shall notify such Individuals without unreasonable delay, and in no case later than sixty (60) days after discovery of the Breach. The Notice required under HIPAA shall be made as follows: By written Notice in plain language including, to the extent possible: A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; A description of the types of Unsecured PHI involved in the Breach (including but not limited to items such as whether full name, social security number, date of birth, home address, Family Account number, diagnosis, disability code, or other types of information were involved); Any steps Individuals should take to protect themselves from potential harm resulting from the Breach; A brief description of what BA [XXXXXX] and FHKC are doing to investigate the Breach, to mitigate the harm to Individuals, and to protect against further Breaches; and Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, website or postal address. BA [VENDOR] must use a method of notification that meets the requirements of 45 CFR 164.404(d). Further, BA [VENDOR] must provide Notice to the media when required under 45 CFR 164.406 and to HHS pursuant to 45 CFR 164.408. BA [VENDOR] also agrees to comply with any similar state laws, such as section 501.171, Florida Statutes, that govern breaches. BA [XXXXXX] agrees to pay all costs of notification and any associated mitigation as a result of a Breach or breach of state law, including the provision of, at a minimum, two years one year of credit monitoring and identity theft protection for such affected Individuals. FHKC, in its sole discretion, shall determine if the Breach or breach of state law is significant enough to warrant such measures and the length of time such mitigation measures shall be offered to the affected Individuals. In the event of the unpermitted Access, acquisition, Use, or Disclosure of Unsecured PHI, BA [VENDOR] shall pay for and maintain a prompt mechanism on the existing toll-free telephone line, email link, and fully functioning web page to respond to any Enrollee’s or Applicant’s concerns about security, Breach, unauthorized Access, acquisition, Use, or Disclosure, or any credible allegations or suspicions of the above.

Unsecured Protected Health Information. For all Unsecured PHI maintained or transmitted by BA [EQRO] or BA[EQRO]’s subcontractors, BA [EQRO] shall notify each Individual whose Unsecured PHI has been Accessed, acquired, Used, or Disclosed in a manner not permitted under the HIPAA Privacy Rule which compromises the security and privacy of the PHI, except when law enforcement requires a delay pursuant to 45 CFR § 164.412. If BA [EQRO] cannot identify the specific Individuals whose Unsecured PHI may have been Accessed, BA [EQRO] shall notify all persons whose Unsecured PHI reasonably may have been Accessed. On behalf of FHKC, BA [EQRO] shall notify such Individuals without unreasonable delay, and in no case later than sixty (60) days after discovery of the Breach. The Notice required under HIPAA shall be made as follows: By written Notice in plain language including, to the extent possible: A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; A description of the types of Unsecured PHI involved in the Breach (including but not limited to items such as whether full name, social security number, date of birth, home address, Family Account number, diagnosis, disability code, or other types of information were involved); Any steps Individuals should take to protect themselves from potential harm resulting from the Breach; A brief description of what BA [XXXX] and FHKC are doing to investigate the Breach, to mitigate the harm to Individuals, and to protect against further Breaches; and Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, website or postal address. BA [EQRO] must use a method of notification that meets the requirements of 45 CFR 164.404(d). Further, BA [EQRO] must provide Notice to the media when required under 45 CFR 164.406 and to HHS pursuant to 45 CFR 164.408. BA [EQRO] also agrees to comply with any similar state laws, such as section 501.171, Florida Statutes, that govern breaches. BA [EQRO] agrees to pay all costs of notification and any associated mitigation as a result of a Breach or breach of state law, including the provision of, at a minimum, two years one year of credit monitoring and identity theft protection for such affected Individuals. FHKC, in its sole discretion, shall determine if the Breach or breach of state law is significant enough to warrant such measures and the length of time such mitigation measures shall be offered to the affected Individuals. In the event of the unpermitted Access, acquisition, Use, or Disclosure of Unsecured PHI, BA [EQRO] shall pay for and maintain a prompt mechanism on the existing toll-free telephone line, email link, and fully functioning web page to respond to any Enrollee’s or Applicant’s concerns about security, Breach, unauthorized Access, acquisition, Use, or Disclosure, or any credible allegations or suspicions of the above.