Common use of Breach Notification Requirements Clause in Contracts

Breach Notification Requirements. 5.1 With respect to any Breach by the Business Associate as provided in Section 2.4 above, the Business Associate shall notify each individual whose Unsecured Protected Health Information has been, or is reasonably believed by the Covered Entity to have been, accessed, acquired, used, or disclosed as a result of such Breach, except when law enforcement requires a delay pursuant to 45 CFR §164.412: a. Without unreasonable delay and in no case later than sixty (60) days after discovery of a Breach or from the time it should have reasonable been discovered; b. By notice in plain language including and to the extent possible: 1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; 2) A description of the types of Unsecured Protected Health Information that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); 3) Any steps individuals should take to protect themselves from potential harm resulting from the Breach; 4) A brief description of what the Covered Entity involved is doing to investigate the Breach, to mitigate harm to individuals, and to protect against any further Breaches; and, 5) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web site, or postal address. c. Use a method of notification that meets the requirements of 45 CFR §164.404(d); and d. The Business Associate shall provide for substitute notice, as required by HIPPAA Rules, by providing a toll- free phone number that remains active for at least ninety (90) days where an individual can learn whether the individual’s unsecured PHI may be included in the breach and a posting as required by 45 CFR § 164.404 (d) (2). The costs of the substituted notice and notifications set out in this Section shall be the responsibility of the Business Associate.

Breach Notification Requirements. 5.1 With respect to any Breach by the Business Associate as provided in Section 2.4 above, the Business Associate shall notify each individual whose Unsecured Protected Health Information has been, or is reasonably believed by the Covered Entity to have been, accessed, acquired, used, or disclosed as a result of such Breach, except when law enforcement requires a delay pursuant to 45 CFR §164.412: a. : Without unreasonable delay and in no case later than sixty (60) days after discovery of a Breach or from the time it should have reasonable been discovered; b. ; By notice in plain language including and to the extent possible: 1) : A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; 2) ; A description of the types of Unsecured Protected Health Information that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); 3) ; Any steps individuals should take to protect themselves from potential harm resulting from the Breach; 4) ; A brief description of what the Covered Entity involved is doing to investigate the Breach, to mitigate harm to individuals, and to protect against any further Breaches; and, 5) , Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web site, or postal address. c. . Use a method of notification that meets the requirements of 45 CFR §164.404(d); and d. and The Business Associate shall provide for substitute notice, as required by HIPPAA Rules, by providing a toll- toll-free phone number that remains active for at least ninety (90) days where an individual can learn whether the individual’s unsecured PHI may be included in the breach and a posting as required by 45 CFR § 164.404 (d) (2d)(2). The costs of the substituted notice and notifications set out in this Section shall be the responsibility of the Business Associate.