Data Breach Notification and Mitigation. Business Associate agrees to notify Covered Entity of any Breach of Unsecured PHI promptly upon learning of the Breach. Business Associate’s notice to Covered Entity shall include such information as required by the HIPAA Regulations to be provided by a Business Associate in the event of a Breach.
Data Breach Notification and Mitigation. 8.1 Business Associate agrees to implement reasonable systems for the discovery and prompt reporting of any “breach” of “unsecured PHI” as those terms are defined by 45 C.F.R. § 164.402 or any “breach” of unencrypted “personal information” as those terms are defined by § 501.171, F.S. (collectively referred to as a “HIPAA Breach”). Business Associate will, following the discovery of a HIPAA Breach, notify Covered Entity immediately and in no event later than three (3) business days after Business Associate discovers such HIPAA Breach, unless Business Associate is prevented from doing so by 45 C.F.R. § 164.412 concerning law enforcement investigations. For purposes of reporting a HIPAA Breach to Covered Entity, the discovery of a HIPAA Breach shall occur as of the first day on which such HIPAA Breach is known to the Business Associate or, by exercising reasonable diligence, would have been known to the Business Associate. No later than seven (7) business days following a HIPAA Breach, Business Associate shall provide Covered Entity with sufficient information to permit Covered Entity to comply with the HIPAA Breach notification requirements set forth at 45 C.F.R. § 164.400 et seq as well as the notification requirements of § 501.171, F.S. Following a HIPAA Breach, Business Associate will have a continuing duty to inform Covered Entity of new information learned by Business Associate regarding the HIPAA Breach.
Data Breach Notification and Mitigation. 8.1 HIPAA Data Breach Notification and Mitigation. (Business Associate) agrees to implement reasonable systems for the discovery and prompt reporting to (Company Name) of any “breach” of “unsecured PHI” as those terms are defined by 45 C.F.R. § 164.402. Specifically, a breach is an unauthorized acquisition, access, use or disclosure of unsecured PHI, including ePHI, which compromises the security or privacy of the PHI/ePHI. A breach is presumed to have occurred unless there is low probability that the PHI has been compromised based on a risk assessment of at least the factors listed in 45 C.F.R. § 164.402(2)(i)-(iv) (hereinafter a “HIPAA Breach”). The parties acknowledge and agree that 45 C.F.R. § 164.404, as described below in this Section 8.1, governs the determination of the date of discovery of a HIPAA Breach. In addition to the foregoing and notwithstanding anything to the contrary herein, (Business Associate) will also comply with applicable state law, including without limitation, Section 521 Texas Business and Commerce Code, as amended by HB 300 (82nd Legislature), or such other laws or regulations as may later be amended or adopted. In the event of any conflict between this Section 8.1, the Confidentiality Requirements, Section 521 of the Texas Business and Commerce Code, and any other later amended or adopted laws or regulations, the most stringent requirements shall govern.
Data Breach Notification and Mitigation. Business Associate agrees to promptly notify Covered Entity of any “breach” of “unsecured PHI” as those terms are defined by HIPAA (hereinafter a “Data Breach”). Business Associate shall, following the discovery of a Data Breach, promptly notify Covered Entity and in no event later than three (3) calendar days after Business Associate discovers such Data Breach, unless Business Associate is prevented from doing so by HIPAA concerning law enforcement investigations. Such information shall include a brief description of the circumstances of the Data Breach, including the date of the Data Breach, date of discovery, and estimated number of individuals affected by the Data Breach. For purposes of reporting a Data Breach to Covered Entity, the discovery of a Data Breach shall occur as of the first day on which such Data Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate shall be considered to have had knowledge of a Data Breach if the Data Breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the Data Breach) who is an employee, officer or other agent of Business Associate. No later than seven (7) calendar days following the Data Breach, Business Associate shall provide Covered Entity with sufficient information to permit Covered Entity to comply with the Data Breach notification requirements set forth in HIPAA. Specifically, such information shall include but not be limited to Business Associate’s risk assessment which conforms to the requirements of HIPAA, and shall include: (i) the nature and extent of the PHI involved (e.g., names, social security number, date of birth, address(es), account numbers of any type, disability codes, diagnosis and/or billing codes and similar information), and the likelihood of re-identification; (ii) contact information for all individuals who were or who may have been impacted by the Data Breach (e.g., first and last name, mailing address, street address, phone number, email address); (iii) a detailed description of the circumstances of the Data Breach, and number of individuals affected by the Data Breach; (iv) the identity of the unauthorized person who used the PHI or to whom the disclosure was made; (v) whether the PHI was actually acquired or viewed by the unauthorized person; (vi) the probability that the impermissible use or disclosure did or did not compromise...
Data Breach Notification and Mitigation. The obligations in this Section shall survive termination of this BAA and shall continue as long as Business Associate maintains PHI.
Data Breach Notification and Mitigation
