Common use of Breach of Unsecured PHI Clause in Contracts

Breach of Unsecured PHI. Business Associate shall, following the discovery of an actual or suspected Breach of Unsecured Protected Health Information, provide written notice of the Breach (“BA Notice”) to the applicable LIBERTY Entity(ies) within one (1) business day of discovering the Breach. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate or, by exercising reasonable due diligence, would have been known to Business Associate. Business Associate shall be deemed to have knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is a Representative of Business Associate. The BA Notice shall include the following information: (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used or disclosed during the Breach, (ii) a brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, who or what caused the Breach, and who received the PHI, (iii) a description of the types of Unsecured Protected Health Information involved in the Breach, (iv) a description of the action Business Associate took and/or will take to mitigate any deleterious effect of the Breach and a description of the corrective action Business Associate took and/or will take to prevent further Breaches; and (v) any other relevant information. Business Associate shall further provide to LIBERTY any other available information that LIBERTY requests. Upon providing the BA Notice to LIBERTY, Business Associate shall fully cooperate with LIBERTY to enable LIBERTY to confirm whether a Breach occurred and to conduct a risk assessment. If it is determined that a Breach occurred, Business Associate shall fully cooperate with LIBERTY with respect to providing any notification of the Breach as required by the HITECH Act and taking all additional actions as may be required to comply with the HITECH Act. Business Associate shall maintain any and all documentation related to the Breach including, without limitation, any documentation necessary to demonstrate that all notifications were made as required by 45 CFR § 164.410 or that the use or disclosure did not constitute a Breach.

Breach of Unsecured PHI. Business Associate shall, following the discovery of an actual or will report to Covered Entity any suspected Breach of Unsecured Protected Health InformationPHI by Business Associate or any of its officers, provide written directors, employees, Subcontractors or agents. [GPM Note: if CE wants breach notification to go to someone at CE who is not the official designated to receive general notice of the Breach under this BAA (“BA Notice”) i.e., if CE wants notice to go to its Privacy Officer but less pressing contract issues to go to the applicable LIBERTY Entity(iescontracting department), CE can designate a specific contact to receive breach notification from BA. Otherwise notice can go to the general notice point for contracting issues]. [Option A] [All notifications of Breach of Unsecured PHI will be made by Business Associate to ________________ at Covered Entity.] [Option B] All notifications of Breach of Unsecured PHI will be made by Business Associate to the Covered Entity official designated in Section VIII(c) within of this Agreement] All notifications required under this Section will be made by Business Associate without unreasonable delay and in no event later than [one (1) business day day] [two (2) days] of discovering the Breachdiscovery. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate or[GPM Note: if CE will do breach analysis itself, by exercising reasonable due diligence, would have been known to Business AssociateCE should require very short notice period so that it can begin analysis quickly]. Business Associate will use the standard at 45 C.F.R. § 164.410(a) to determine when the suspected Breach is treated as discovered. Covered Entity shall be deemed have discretion to have knowledge determine whether a suspected Breach has given rise to a Breach. Business Associate will cooperate with Covered Entity and provide such information as Covered Entity reasonably requires in making this determination. In notifying Covered Entity of a Breach if the Breach is knownsuspected Breach, or by exercising reasonable diligence would have been knownBusiness Associate will provide, to any personthe extent reasonably possible, other than as much of the person committing the information it has that would be required in notifying a Covered Entity of a Breach, who under 45 C.F.R. § 164.410. If Covered Entity determines that a Breach has occurred, Business Associate will provide any other available information that Covered Entity is required to include in its notification to individuals pursuant to 45 C.F.R. § 164.404(c). In the event Covered Entity determines a Representative Breach has occurred that was caused by the acts or omissions of Business Associate. The , its Subcontractors, officers, directors, employees or agents, Business Associate will cooperate with Covered Entity to notify, [GPM Note: CE should consider whether to require BA Notice shall include the following information: to cover costs of notification due to a breach caused by BA] [at Business Associate’s expense], (i) the identification of each individual individuals whose Unsecured PHI has been, or is reasonably believed by Business Associate Covered Entity to have been, accessed, acquired, used or disclosed during the Breachdisclosed, and (ii) the media, as required pursuant to 45 C.F.R. § 164.406, if the legal requirements for media notification are triggered by the circumstances of such Breach. [GPM Note: following sentence relates to whether CE wants BA to be responsible for costs of notification. If not, this sentence can be deleted] [Business Associate will indemnify Covered Entity for any reasonable expenses Covered Entity incurs in notifying individuals, the media and related expenses arising from a brief description Breach, or costs of what happenedmitigation related thereto, including caused by Business Associate or its officers, directors, employees, Subcontractors or agents.] Business Associate will cooperate in Covered Entity’s Breach analysis process and procedures, if requested. Covered Entity will at all times have the date final decision about the content of any notification required to be given under the Regulations. [GPM Note: we have provided 2 options for the access to records provision. Option 1 affords the CE more control over how the BA acts. The advantage of this is that CE can make sure the BA acts appropriately. The disadvantage is that it is more likely to make CE potentially liable for the acts or omissions of BA. Option 2 gives more discretion to the BA. The advantage is that the CE is less likely to be liable for the BA’s acts. The disadvantage is that the principal-agency analysis used by regulators to determine liability is not precise, so there is no guarantee that CE will not be found liable. Also, Option 2 gives more discretion to the BA, which undermines CE’s ability to make sure that BA performs appropriately]. [Option 1—more control for CE; delete option 2 if used] Access. In the event an Individual requests access to PHI in a Designated Record Set from Business Associate, Business Associate will provide Covered Entity with notice of the Breach and the date of the discovery of the Breach, who or what caused the Breach, and who received the PHI, same within [two (iii) a description of the types of Unsecured Protected Health Information involved in the Breach, 2)] [three (iv) a description of the action Business Associate took and/or will take to mitigate any deleterious effect of the Breach and a description of the corrective action Business Associate took and/or will take to prevent further Breaches; and 3)] [five (v) any other relevant information5)] days. Business Associate shall further will provide access, within [two (2)] [three (3)] [five (5)] days of a request of Covered Entity and in the manner designated by Covered Entity, to LIBERTY any other available information PHI in a Designated Record Set to Covered Entity, or, as directed by Covered Entity, to an Individual or the Individual’s designee in order to meet the requirements under 45 C.F.R. § 164.524 (Access). If the PHI that LIBERTY requests. Upon providing is the BA Notice to LIBERTYsubject of a request is maintained by the Business Associate in a Designated Record Set electronically, Business Associate shall fully cooperate with LIBERTY will provide an electronic copy of such information to enable LIBERTY the Covered Entity, or, as directed by the Covered Entity, to confirm whether a Breach occurred and to conduct a risk assessment. If it is determined that a Breach occurredthe Individual or the Individual’s designee, Business Associate shall fully cooperate with LIBERTY with respect to providing any notification of in the Breach as format required by the HITECH Act Regulations and taking all additional actions as may be required directed by Covered Entity, in order to comply with meet the HITECH ActCovered Entity’s obligations under 45 C.F.R. § 164.524. [Option 2—more discretion for BA; delete option 1 if used] Access. Business Associate shall maintain any and all documentation related to the Breach including, without limitation, any documentation will make available PHI in a Designated Record Set as necessary to demonstrate that all notifications were made as required by satisfy Covered Entity obligations under 45 CFR C.F.R. § 164.410 or that the use or disclosure did not constitute a Breach164.524 (access).

Breach of Unsecured PHI. Business Associate shallshall investigate each unauthorized access, following the discovery acquisition, Use, or Disclosure of an actual Covered Entity’s PHI that it discovers to determine whether such unauthorized access, acquisition, Use, or suspected Disclosure constitutes a reportable Breach of Unsecured Protected Health Information, provide written notice of the Breach (“BA Notice”) to the applicable LIBERTY Entity(ies) within one (1) business day of discovering the BreachPHI. A Breach shall be treated as discovered by If Business Associate as determines that a reportable Breach of the first day on which such Breach is known to Business Associate orUnsecured PHI has occurred, by exercising reasonable due diligence, would have been known to Business Associate. Business Associate shall be deemed to have knowledge notify Covered Entity of a such Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person, other in writing without unreasonable delay but no later than the person committing the Breach, who is a Representative of Business Associate. The BA Notice shall include the following information: three (i3) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used or disclosed during the Breach, (ii) a brief description of what happened, including the date of the Breach and the date of the calendar days after discovery of the Breach, who or what caused the Breach, and who received the PHI, (iii) a description of the types of Unsecured Protected Health Information involved in the Breach, (iv) a description of the action Business Associate took and/or will take to mitigate any deleterious effect of the Breach and a description of the corrective action Business Associate took and/or will take to prevent further Breaches; and (v) any other relevant informationaccordance with 45 C.F.R. §164.410(c). Business Associate shall further provide to LIBERTY any other available information that LIBERTY requests. Upon providing the BA Notice to LIBERTY, Business Associate shall fully cooperate with LIBERTY to enable LIBERTY to confirm whether a Breach occurred and to conduct a risk assessment. If it is determined that a Breach occurred, Business Associate shall fully cooperate with LIBERTY Covered Entity in meeting Covered Entity’s obligations under the HITECH Act with respect to such Breach. Covered Entity shall have sole control over the timing and method of providing any notification of such Breach to the Breach affected individual(s), the Secretary and, if applicable, the media, as required by the HITECH Act and taking all additional actions as may be required to comply with the HITECH Act. Business Associate shall maintain reimburse Covered Entity for its reasonable costs and expenses in providing the notification, including, but not limited to, any administrative costs associated with providing notice, printing and all documentation related mailing costs, and costs of mitigating the harm (which may include the costs of obtaining credit monitoring services and identity theft insurance) for affected individuals whose PHI has or may have been compromised as a result of the Breach. Availability of Internal Practices, Books, and Records to Government. Business Associate agrees to make its internal practices, books and records relating to the Breach includingUse and Disclosure of PHI received from, without limitationor created or received by the Business Associate on behalf of Covered Entity available to the Secretary for purposes of determining Covered Entity’s compliance with HIPAA, any the HIPAA Regulations, and the HITECH Act. Except to the extent prohibited by law, Business Associate shall notify Covered Entity of all requests served upon Business Associate for information or documentation necessary by or on behalf of the Secretary. Access to demonstrate and Amendment of Protected Health Information. To the extent that all notifications were made Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business Associate shall make the PHI it maintains (or which is maintained by its Subcontractors) in Designated Record Sets available to Covered Entity for inspection and copying or, as required directed by Covered Entity, to an individual, within fifteen (15) days of a request by Covered Entity, to enable Covered Entity to fulfill its obligations under 45 CFR C.F.R. § 164.410 or that 164.524. If Business Associate maintains PHI in a Designated Record Set electronically, Business Associate shall provide such information in the use or disclosure did not constitute electronic form and format requested by the Covered Entity if it is readily reproducible in such form and format, and, if not, in such other form and format agreed to by Covered Entity to enable Covered Entity to fulfill its obligations under 42 U.S.C. § 17935(e) and 45 C.F.R. § 164.524(c)(2). Business Associate shall notify Covered Entity within fifteen (15) days of receipt of a Breachrequest for access to PHI.