BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discovery, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412. a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor. b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency. 2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-3154 ▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇ a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification. 3. Contractor’s notification shall include, to the extent possible: a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach; b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: (1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; (2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach; (4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and (5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address. 4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County. 5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach. 6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur. 7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above. 8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County. 9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 4 contracts
Sources: Administration of a Prescription Drug Card and Mail Order Program Contract, Administration of a Prescription Drug Card and Mail Order Program, Administration of a Prescription Drug Card and Mail Order Program Contract
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI PHI, Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately without unreasonable delay and, in any event, within ten business days after discovery, to the County Privacy Officer at: :
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification. ▇▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer Officer, CHPC,CHC,CHP OCIT – Enterprise Privacy and Cybersecurity ▇▇▇▇ ▇. ▇▇▇ . ▇▇▇▇▇▇▇ ▇▇▇▇▇ Santa Ana, CA ▇▇▇, ▇▇ (▇▇▇) ▇▇▇-▇▇▇▇ ▇▇▇▇▇ (714) 834-3154 ▇.▇▇@▇▇▇▇▇▇▇▇@.▇▇▇▇▇.▇▇▇ or ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇▇ ▇▇▇▇▇▇▇, Deputy County Chief Information Security Officer OCIT – Enterprise Privacy Officer & Cybersecurity ▇▇▇▇ ▇. ▇▇▇ . ▇▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇Santa Ana, ▇▇ CA ▇▇▇▇▇ (714) 834-4082 ▇▇▇) ▇@▇▇-▇▇▇▇ ▇▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇.▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, and any governmental entities requiring notification at the sole discretion of the County. Such notification will contain the elements required in 45 CFR § 164.410 or applicable state law. Contractor agrees that the County will be given reasonable advance opportunity to review the proposed notice or other related communications to any individual or third party regarding the breach; the County may propose revised or additional content to the materials which will be given reasonable consideration by Contractor (or its agent).
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 provided as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 3 contracts
Sources: Claims Administration Agreement, Claims Administration Agreement, Claims Administration Agreement
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: at ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-3154 ▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇Le, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5E.3.b. (1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 2 contracts
Sources: Administrative Services Agreement, Administrative Services Agreement
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHI PHI, Contractor shall 18 notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer at: HCA Information Technology Security Officer ▇▇▇▇▇ ▇▇, CHPC, CHC, CHP ▇▇▇▇ ▇. ▇▇. ▇▇▇▇▇▇▇ ▇▇▇▇▇ Santa Ana, CA 92705 Office: (▇▇▇, County Privacy Officer ) ▇▇▇ ▇. ▇▇▇ ▇▇-▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-3154 ▇▇▇▇▇▇▇▇ ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇ ▇▇▇▇., 10th Floor Santa Ana, CA ▇▇▇▇▇ (▇▇▇) ▇▇▇-▇▇▇▇ 31 County Privacy Officer at: 32 33 34 35 36 37 2 3
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: ▇▇▇▇▇.▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written ▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ 5 notification within 24 twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
: 18 (1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 2 contracts
Sources: Contract for Provision of Correctional Health Registry Staffing Services, Contract for Provision of Services
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY HCA INFORMATION TECHNOLOGY County Privacy Officer ▇▇▇▇ ▇. ▇▇. ▇▇▇▇▇▇▇ ▇▇▇▇▇, 2nd Fl. Santa Ana, CA 92705 Office: (▇▇, County Privacy ▇) ▇▇▇-▇▇▇▇ IT Security Officer ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇ ▇▇▇▇., Ste. 1000 E-Mail: ▇▇▇▇▇.▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-3154 ▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ Office: (▇▇▇) ▇▇▇-▇▇▇▇ E-Mail: ▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 twenty-four (24) hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 2 contracts
Sources: Covid 19 Consulting Services Agreement, Covid 19 Vaccination Services Agreement
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: at ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-3154 ▇▇▇) ▇▇▇▇▇@-▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@) ▇▇▇-▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches▇▇▇▇▇▇▇▇; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5E.3.b. (1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 2 contracts
Sources: Administrative Services Agreement, Administrative Services Agreement
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: at ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714▇▇▇) 834▇▇▇-3154 ▇▇▇▇ ▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714▇▇▇) 834▇▇▇-4082 ▇▇▇▇ ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches▇▇▇▇▇▇▇▇; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5E.3.b. (1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 2 contracts
Sources: Administrative Services Agreement, Administrative Services Agreement
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: at ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-3154 ▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 2 contracts
Sources: Claims Administration and Cost Management Services Agreement, Pharmacy Benefits Manager Quality Assurance Services Contract
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: at County Privacy Officer Interim County Privacy Officer HCA Information Technology Security Officer Not Available ▇▇▇▇▇ Le, CHP, CHPC (714) 834-4082 ▇▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇▇▇▇▇., County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-3154 ▇▇▇▇▇.▇▇@▇▇▇@▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇ (714) 834-3433 ▇▇▇ Or ▇. ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇., ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@10th Floor Santa Ana, CA 92701 ▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 twenty-four (24) hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 2 contracts
Sources: Urinalysis Laboratory Testing Services, Urinalysis Laboratory Testing Services
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: at ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-3154 ▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 twenty-four (24) hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately promptly to the County Privacy Officer at: at ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-3154 ▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇Le, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours 5 business days of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstancescircumstances and if the Breach was a result of a breach of this Business Associate Contract by Contractor, at the sole reasonable discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulationsE, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.. and:
6. (1) Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. (2) Contractor shall provide to County County, to the maximum extent possible, all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5E.3.b. (1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicablepromptly, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. (3) Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. (4) To the extent the Breach of Unsecured PHI arises as a result of Contractor’s breach of this Business Associate Contract, Contractor shall bear all expense reasonable expenses or other costs associated with the Breach and shall reimburse County for all reasonable expenses County incurs in addressing the Breach and consequences thereofBreach, including costs of investigationof, notification, remediation,, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Sources: Health Management Program Contract
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately promptly to the County Privacy Officer at: ▇▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ E-Mail: ▇▇▇▇▇▇ .▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-3154 @▇▇▇▇▇▇▇▇@.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours three (3) business days of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches▇▇▇▇▇▇▇▇; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. In the case of a breach of PHI caused by Contractor’s breach of this contract and if Contractor and County agree that notification is required by law in at least one jurisdiction in which individuals are impacted by a security breach, County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall bear all reasonable expense or other direct costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Sources: Employee Benefits Consulting and Actuarial Services Agreement
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: at ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ CA 92701 (714) 834-3154 ▇▇▇▇▇▇▇▇@tbullock@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇Le, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ CA 92701 (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: at ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-3154 ▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:: Breach, if known;
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;the
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5E.3.b. (1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Sources: Life and Accidental Death and Dismemberment Insurance Contract
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ CA 92701 (714) 834-3154 ▇▇▇▇▇▇▇▇@tbullock@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇Le, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ CA 92701 (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at County of Orange Health Care Agency 28 MA-042-11011483 13011452
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or followOrange Health Care Agency 29 MA-042-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with 11011483 13011452 addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-3154 ▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 twenty-four (24) hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-3154 ▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 twenty-four (24) hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor HASC shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor HASC as of the first day on which such Breach is known to Contractor HASC or, by exercising reasonable diligence, would have been known to ContractorHASC.
b. Contractor HASC shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of ContractorHASC, as determined by federal common law of agency.
2. Contractor HASC shall provide the notification of the Breach immediately to the County Privacy Officer at: at ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ CA 92701 (714) 834-3154 ▇▇▇▇▇▇▇▇@tbullock@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇Le, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ CA 92701 (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. ContractorHASC’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification.
3. ContractorHASC’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor HASC to have been, accessed, acquired, used, or disclosed during the Breach;; County of Orange Health Care Agency B-15 MA-042-1201042115011466
b. Any other information that County is required to include in the notification to Individual under Individualunder 45 CFR §164.404 (c) at the time Contractor HASC is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor HASC is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional informationadditionalinformation, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor HASC to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor HASC is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor HASC shall have the burden of demonstrating that Contractor HASC made all notifications to County toCounty consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor HASC shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor HASC shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event noevent later than fifteen (15) calendar days after ContractorHASC’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor HASC shall continue to provide all additional pertinent information about the Breach to County toCounty as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor HASC shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor HASC shall bear all expense or other costs associated with the Breach and shall reimburse County reimburseCounty for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing County of Orange Health Care Agency B-16 MA-042-1201042115011466 the Breach.
Appears in 1 contract
Sources: Software License Agreement
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: at ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-3154 ▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇Le, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 twenty-four (24) hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Sources: Phlebotomy and Laboratory Testing Services Agreement
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: at ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-3154 ▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇Le, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5E.3.b. (1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Sources: Administrative Services Agreement
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI that affects County’s PHI, Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, Docusign Envelope ID: 589EFEA4-C448-4FC7-A588-84111CBB9CF4 as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately within ten (10) business days to the County Privacy Officer at: ▇▇▇▇▇ ▇▇, CHPC, CHC, CHP County Privacy Officer ▇▇▇ ▇. ▇▇▇▇▇▇ St., Suite 200 Orange, CA 92868 ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, County Privacy MBA, CISSP Chief Information Security Officer ▇▇▇ ▇. ▇▇▇▇▇▇ St., Suite 200 Orange, CA 92868 Office: (▇▇▇) ▇▇▇-▇▇▇▇ Email: ▇▇▇▇▇▇ .▇▇@▇▇▇▇▇ ▇▇▇, ▇▇ .▇▇▇▇▇.▇▇▇ Office: (714▇▇▇) 834▇▇▇-3154 ▇▇▇▇ Email: ▇▇▇▇▇▇.▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, oral but shall be followed by written notification within 24 hours ten (10) business days of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §§ 164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.. Docusign Envelope ID: 589EFEA4-C448-4FC7-A588-84111CBB9CF4
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Upon request, Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County,. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-follow up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breachand documentation.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714▇▇▇) 834▇▇▇-3154 ▇▇▇▇ ▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714▇▇▇) 834▇▇▇-4082 ▇▇▇▇ ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-3154 ▇▇▇) ▇▇▇-▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714▇▇▇) 834▇▇▇-4082 ▇▇▇▇ ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 twenty-four (24) hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: at ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ CA 92701 (714) 834-3154 ▇▇▇▇▇▇▇▇@tbullock@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ CA 92701 (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches▇▇▇▇▇▇▇▇; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-3154 ▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇Le, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Sources: Employee Benefits Consulting and Actuarial Services Agreement
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 within five (5) business days of discoverydays, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY HCA INFORMATION TECHNOLOGY ▇▇▇▇▇ ▇▇▇▇▇▇▇Le, CHPC, CHC, CHP County Privacy Officer ▇▇▇▇ ▇. ▇▇▇ . ▇▇▇▇▇▇▇ ▇▇▇▇▇ ▇, 2nd Fl. Santa Ana, CA 92705 Office: (▇▇▇, ) ▇▇ ▇▇-▇▇▇▇ (714) 834E-3154 Mail: ▇▇▇▇▇.▇▇@▇▇▇@▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇ IT Security Officer ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇ ▇▇▇▇., Ste. 1000 Santa Ana, CA 92701 Office: (714) 834-3433 E-Mail: ▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 twenty-four (24) hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Sources: Software License Agreement
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ CA 92701 (714) 834-3154 ▇▇▇▇▇▇▇▇@tbullock@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇Le, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ CA 92701 (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification.within
3. Contractor’s notification shall include, to the extent possible:: twenty-four (24) hours of the oral notification. County of Orange Health Care Agency 27 MA-042-13010727 Software Maintenance and Support Services
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;reasonably
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this asthis information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such Breach(such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional informationadditionalinformation, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulationsnotificationregulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event noevent later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County toCounty as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse shallreimburse County for all expenses County incurs in addressing the Breach and consequences thereof, County of Orange Health Care Agency 28 MA-042-13010727 Software Maintenance and Support Services addressing the Breach. including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.with
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: HCA Information Technology Security Officer ▇▇▇▇▇ ▇▇▇▇▇▇▇, CHPC, CHC, CHP County Privacy Officer OCIT | CEO | SECURITY ▇▇▇▇ ▇. ▇▇▇ . ▇▇▇▇▇▇▇ ▇▇▇▇▇ Santa Ana, CA 92705 Office: (▇▇▇, ) ▇▇ ▇▇-▇▇▇▇ (714) 834E-3154 Mail: ▇▇▇▇▇.▇▇@▇▇▇@▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇ (▇▇▇) ▇▇▇-▇▇▇▇ ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇ ▇▇▇▇., 10th Floor Santa Ana, CA 92701 ▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at:
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 twenty-four (24) hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen thirty (1530) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. .. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. In the event Contractor is responsible for the Breach, Contractor shall bear all expense or other costs associated with the Breach it and shall reimburse County for all reasonable expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Sources: Lease Agreement
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY DEPARTMENT INFORMATION TECHNOLOGY ▇▇▇▇▇ ▇▇▇▇▇▇▇, CHPC, CHC, CHP County Privacy Officer ▇▇▇▇ ▇. ▇▇▇ . ▇▇▇▇▇▇▇ ▇▇▇▇▇ ▇, 2nd Fl. Santa Ana, CA 92705 Office: (▇▇▇, ) ▇▇ ▇▇-▇▇▇▇ (714) 834E-3154 Mail: ▇▇▇▇▇.▇▇@▇▇▇@▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇▇ ▇▇▇▇▇▇▇, Deputy County Chief Information Security Officer OCIT – Enterprise Privacy Officer & Cybersecurity ▇▇▇▇ ▇. ▇▇▇▇ ▇▇▇▇▇▇, ▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714▇▇▇) 834▇▇▇-4082 ▇▇▇▇ ▇▇▇▇▇▇.▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 twenty-four (24) hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-toll- free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Sources: Administrative Services Agreement
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: ▇▇▇▇▇ ▇▇, County Privacy Officer, CHPC, CHC, CHP OCIT – Enterprise Privacy & Cybersecurity ▇▇▇▇ ▇. ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇▇ Santa Ana, CA ▇▇▇▇▇ (▇▇▇) ▇▇▇-▇▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇▇▇ Chief Information Security Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇, ▇, ▇▇ ▇▇▇▇▇ Santa Ana, CA 92701 Office: (714▇▇▇) 834▇▇▇-3154 ▇▇▇▇ E-mail: ▇▇▇▇▇▇.▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Sources: Regional Cooperative Agreement
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 within five (5) business days of discoverydays, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY HCA INFORMATION TECHNOLOGY ▇▇▇▇▇ ▇▇▇▇▇▇▇Le, CHPC, CHC, CHP County Privacy Officer ▇▇▇▇ ▇. ▇▇▇ . ▇▇▇▇▇▇▇ ▇▇▇▇▇ ▇, 2nd Fl. Santa Ana, CA 92705 Office: (▇▇▇, ) ▇▇ ▇▇-▇▇▇▇ (714) 834E-3154 Mail: ▇▇▇▇▇.▇▇@▇▇▇@▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇ IT Security Officer ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇ ▇▇▇▇., Ste. 1000 Santa Ana, CA 92701 Office: (▇▇▇) ▇▇▇-▇▇▇▇ E-Mail: ▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 twenty-four (24) hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Sources: Software License Agreement
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: at ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-3154 ▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714▇▇▇) 834▇▇▇-4082 ▇▇▇▇ ▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ (▇▇▇) ▇▇▇-▇▇▇▇ ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches▇▇▇▇▇▇▇▇; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
6. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5E.3.b. (1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach no later than 5 business days of discoveryBreach, however both Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately immediatelypromptly to the County Privacy Officer at: at ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714▇▇▇) 834▇▇▇-3154 ▇▇▇▇ ▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714▇▇▇) 834▇▇▇-4082 ▇▇▇▇ ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours hours5 business days of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole and if the Breach was a result of a breach of this Business Associate Contract by Contractor, at the reasonable discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.. and:
6. (1) Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
7. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
8. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Sources: Health Management Program Contract