Reporting Unauthorized Disclosures and Breaches. During the term of this BAA, BA shall notify CE within 24 hours of any suspected or actual Breach of security; intrusion; or unauthorized acquisition, access, use or disclosure of PHI in violation of any applicable federal or state law. BA shall identify for the CE the individuals whose unsecured PHI has been, or is reasonably believed to have been, Breached so that CE can comply with any notification requirements. BA shall also indicate whether the PHI subject to the suspected or actual Breach; intrusion; or unauthorized acquisition, access, use or disclosure was encrypted or destroyed at the time. BA shall take prompt corrective action to cure any deficiencies that result in Breaches of security; intrusion; or unauthorized acquisition, access, use, and disclosure. BA shall reimburse CE for all costs associated with any notice of Breach CE is required to provide under HIPAA, HITECH Act, and the Privacy and Security Rule. For purposes of this paragraph, BA is not an agent of CE.
Appears in 4 contracts
Samples: Standard Agreement, Standard Agreement, Standard Agreement
