BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach, however both parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412. a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor. b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency. 2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ Santa Ana, CA ▇▇▇▇▇ (▇▇▇) ▇▇▇-▇▇▇▇ ▇▇▇▇▇.▇▇@▇▇▇▇.▇▇▇▇▇.▇▇▇ a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification. 3. Contractor’s notification shall include, to the extent possible: a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach; b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including: (1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; (2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach; (4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and (5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address. 4. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach. 5. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur. 6. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above. 7. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
Appears in 1 contract
Sources: Contract for Off Site Data Storage and Retrieval Services
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach, however both parties Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: ▇▇▇▇▇ ▇▇, Deputy OCIT | CEO | SECURITY HCA INFORMATION TECHNOLOGY County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ . ▇▇., ▇▇▇▇▇ ▇▇▇▇▇ ▇, 2nd Fl. Santa Ana, CA ▇▇▇▇▇ 92705 Office: (▇▇▇) ▇▇▇-▇▇▇▇ IT Security Officer ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇ ▇▇▇▇., Ste. 1000 E-Mail: ▇▇▇▇▇.▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ Santa Ana, CA 92701 ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ Office: (▇▇▇) ▇▇▇-▇▇▇▇ E-Mail: ▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
56. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
67. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
78. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach, however both parties Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | Enterprise Privacy & Cybersecurity HCA Information Technology Security Officer ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer CHPC, CHC, CHP ▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇ ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇ ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇ ▇▇▇▇., 10th Floor Santa Ana, CA 92701 Santa Ana, CA 92701 Office: (▇▇▇) ▇▇▇-▇▇▇▇ (▇▇▇) ▇▇▇-▇▇▇▇ E-Mail: ▇▇▇▇▇.▇▇@▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 twenty-four (24) hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
56. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
67. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
78. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Sources: Electronic Health Records System Maintenance and Support Services
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach, however both parties Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: ▇▇▇▇ ▇▇▇▇▇▇▇, County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-3154 ▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ Or ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇ ▇. ▇▇▇ ▇▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ (714) 834-4082 ▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇▇▇▇▇@▇▇▇▇▇.▇▇▇ County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ . ▇▇., ▇▇▇▇▇ ▇▇▇▇▇ Santa Ana, CA ▇▇▇▇▇ 92705 Office: (▇▇▇) ▇▇▇-▇▇▇▇ ▇▇▇▇▇.▇▇@▇▇▇▇.▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches▇▇▇▇▇▇▇▇; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
56. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
67. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
78. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 17 1. Following the discovery of a Breach of Unsecured PHI PHI, Contractor shall 18 notify County of such Breach, however both parties Parties agree to a delay in the notification if 19 so advised by a law enforcement official pursuant to 45 CFR § 164.412.
21 a. A Breach shall be treated as discovered by Contractor as of the first 22 day on which such Breach is known to Contractor or, by exercising reasonable diligence, 23 would have been known to Contractor.
25 b. Contractor shall be deemed to have knowledge of a Breach, if the 26 Breach is known, or by exercising reasonable diligence would have known, to any person 27 who is an employee, officer, or other agent of Contractor, as determined by federal 28 common law of agency.
30 2. Contractor shall provide the notification of the Breach immediately to the OCIT | CEO | SECURITY County Privacy Officer at: HCA Information Technology Security Officer ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer CHPC, CHC, CHP ▇▇▇▇ ▇. ▇▇▇▇ . ▇▇., ▇▇▇▇▇ ▇▇▇▇▇ Santa Ana, CA 92705 Office: (714) 834-4082 ▇▇▇▇▇ (▇▇▇) ▇▇▇-▇▇▇▇ ▇▇▇▇▇.▇▇@▇▇▇▇ ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇ ▇▇▇▇.▇▇▇▇▇.▇▇▇, 10th Floor Santa Ana, CA 92701 (714) 834-3433 31 County Privacy Officer at: 32 33 34 35 36 37 2 3
4 a. Contractor’s notification may be oral, but shall be followed by written E-Mail: ▇▇▇▇▇.▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ 5 notification within 24 twenty-four (24) hours of the oral notification.
7 3. Contractor’s notification shall include, to the extent possible:
9 a. The identification of each Individual whose Unsecured PHI has 10 been, or is reasonably believed by Contractor to have been, accessed, acquired, used, 11 or disclosed during the Breach;
13 b. Any other information that County is required to include in the 14 notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to 15 notify County or promptly thereafter as this information becomes available, even after the 16 regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
: 18 (1) A brief description of what happened, including the date of the 19 Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
5. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
6. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
7. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
Appears in 1 contract
Sources: Contract for Provision of Services
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach, however both parties Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer Interim Chief Information Security Officer, CHPC, CHC, CHP OCIT – Enterprise Security ▇▇▇▇ ▇. ▇▇▇▇ . ▇▇., ▇▇▇▇▇ ▇▇▇▇▇ Santa Ana, CA ▇▇▇▇▇ 92705 (▇▇▇714) ▇▇▇834-▇▇▇▇ 4082 ▇▇▇▇▇.▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇ ▇▇, County Privacy Officer, CHPC, CHC, CHP OCIT – Enterprise Security ▇▇▇▇ ▇. ▇▇. ▇▇▇▇▇▇▇ ▇▇▇▇▇ Santa Ana, CA 92705 (714) 834-4082 ▇▇▇▇▇.▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
5. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
6. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
7. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
Appears in 1 contract
Sources: Contract Ma 017 20011143
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach, however both parties Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY County Privacy Officer HCA Information Technology Security Officer ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer CHPC, CHC, CHP ▇▇▇▇ ▇. ▇▇▇▇ . ▇▇., ▇▇▇▇▇ ▇▇▇▇▇ Santa Ana, CA 92705 Office: (▇▇▇) ▇▇▇-▇▇▇▇ E-Mail: ▇▇▇▇▇.▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇ ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇ ▇▇▇▇., 10th Floor Santa Ana, CA ▇▇▇▇▇ (▇▇▇) ▇▇▇-▇▇▇▇ ▇▇▇▇▇.▇▇@▇▇▇▇.▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 twenty-four (24) hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
56. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
67. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
78. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Sources: Professional Services
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach, however both parties Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: ▇▇▇▇▇ ▇▇, Deputy OCIT | CEO | SECURITY HCA INFORMATION TECHNOLOGY County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ . ▇▇., ▇▇▇▇▇ ▇▇▇▇▇ ▇, 2nd Fl. Santa Ana, CA ▇▇▇▇▇ 92705 Office: (▇▇▇) ▇▇▇-▇▇▇▇ IT Security Officer ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇ ▇▇▇▇., Ste. 1000 E-Mail: ▇▇▇▇▇.▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ Santa Ana, CA 92701 ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ Office: (▇▇▇) ▇▇▇-▇▇▇▇ E-Mail: ▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 twenty-four (24) hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
56. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
67. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
78. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Sources: Contract for Clinical and Non Clinical Temporary Staffing Services
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach, however both parties Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency. County Privacy Officer HCA Information Technology Security Officer ▇▇▇▇▇ Le, CHPC, CHC, CHP County Privacy Officer OCIT | CEO | SECURITY ▇▇▇▇ ▇. ▇▇. ▇▇▇▇▇▇▇ ▇▇▇▇▇ Santa Ana, CA 92705 Office: (▇▇▇) ▇▇▇-▇▇▇▇ E-Mail: ▇▇▇▇▇.▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇ (714) 834-3433 ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇ ▇▇▇▇., 10th Floor Santa Ana, CA 92701 ▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: ▇▇▇▇▇ ▇▇, Deputy County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ Santa Ana, CA ▇▇▇▇▇ (▇▇▇) ▇▇▇-▇▇▇▇ ▇▇▇▇▇.▇▇@▇▇▇▇.▇▇▇▇▇.▇▇▇:
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 twenty-four (24) hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably HCA ASR 20-000812 County of Orange Page 14 Health Care Agency believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
56. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
67. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
78. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, HCA ASR 20-000812 County of Orange Page 15 Health Care Agency including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Sources: Subordinate Agreement
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach, however both parties Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY HCA INFORMATION TECHNOLOGY ▇▇▇▇▇ ▇▇, Deputy CHPC, CHC, CHP County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ . ▇▇., ▇▇▇▇▇ ▇▇▇▇▇ ▇, 2nd Fl. Santa Ana, CA ▇▇▇▇▇ 92705 Office: (▇▇▇) ▇▇▇-▇▇▇▇ E-Mail: ▇▇▇▇▇.▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇ IT Security Officer ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇ ▇▇▇▇., Ste. 1000 Santa Ana, CA 92701 Office: (▇▇▇) ▇▇▇-▇▇▇▇ E-Mail: ▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 twenty-four (24) hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
56. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
67. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
78. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
Sources: Software Maintenance and Database Hosting Services Agreement
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach, however both parties Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY HCA INFORMATION TECHNOLOGY ▇▇▇▇▇ ▇▇, Deputy CHPC, CHC, CHP County Privacy Officer ▇▇15▇▇ ▇. ▇▇▇▇ . ▇▇., ▇▇▇▇▇ ▇▇▇▇▇ ▇, 2nd Fl. Santa Ana, CA ▇▇▇▇▇ 92705 Office: (▇▇▇) ▇▇▇-▇▇▇▇ E-Mail: ▇▇▇▇▇.▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇ IT Security Officer 20▇ ▇. ▇▇▇▇▇ ▇▇▇ ▇▇▇▇., Ste. 1000 Santa Ana, CA 92701 Office: (▇▇▇) ▇▇▇-▇▇▇▇ E-Mail: ▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 twenty-four (24) hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
56. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
67. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
78. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract
BREACH DISCOVERY AND NOTIFICATION. 1. Following the discovery of a Breach of Unsecured PHI , Contractor shall notify County of such Breach, however both parties Parties agree to a delay in the notification if so advised by a law enforcement official pursuant to 45 CFR § 164.412.. County of Orange, Health Care Agency Software Maint. & Data Hosting Services Page 33 of 50
a. A Breach shall be treated as discovered by Contractor as of the first day on which such Breach is known to Contractor or, by exercising reasonable diligence, would have been known to Contractor.
b. Contractor shall be deemed to have knowledge of a Breach, if the Breach is known, or by exercising reasonable diligence would have known, to any person who is an employee, officer, or other agent of Contractor, as determined by federal common law of agency.
2. Contractor shall provide the notification of the Breach immediately to the County Privacy Officer at: OCIT | CEO | SECURITY HCA INFORMATION TECHNOLOGY ▇▇▇▇▇ ▇▇Le, Deputy CHPC, CHC, CHP County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ . ▇▇., ▇▇▇▇▇ ▇▇▇▇▇ ▇, 2nd Fl. Santa Ana, CA ▇▇▇▇▇ 92705 Office: (▇▇▇) ▇▇▇-▇▇▇▇ E-Mail: ▇▇▇▇▇.▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇ IT Security Officer ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇ ▇▇▇▇., Ste. 1000 Santa Ana, CA 92701 Office: (714) 834-3433 E-Mail: ▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇
a. Contractor’s notification may be oral, but shall be followed by written notification within 24 twenty-four (24) hours of the oral notification.
3. Contractor’s notification shall include, to the extent possible:
a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, used, or disclosed during the Breach;
b. Any other information that County is required to include in the notification to Individual under 45 CFR §164.404 (c) at the time Contractor is required to notify County or promptly thereafter as this information becomes available, even after the regulatory sixty (60) day period set forth in 45 CFR § 164.410 (b) has elapsed, including:
(1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known;
(2) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
(3) Any steps Individuals should take to protect themselves from potential harm County of Orange, Health Care Agency Software Maint. & Data Hosting Services Page 34 of 50 resulting from the Breach;
(4) A brief description of what Contractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any future Breaches; and
(5) Contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
4. County may require Contractor to provide notice to the Individual as required in 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the County.
5. In the event that Contractor is responsible for a Breach of Unsecured PHI in violation of the HIPAA Privacy Rule, Contractor shall have the burden of demonstrating that Contractor made all notifications to County consistent with this Paragraph E and as required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or disclosure of PHI did not constitute a Breach.
56. Contractor shall maintain documentation of all required notifications of a Breach or its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
67. Contractor shall provide to County all specific and pertinent information about the Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit County to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as practicable, but in no event later than fifteen (15) calendar days after Contractor’s initial report of the Breach to County pursuant to Subparagraph E.2 above.
78. Contractor shall continue to provide all additional pertinent information about the Breach to County as it may become available, in reporting increments of five (5) business days after the last report to County. Contractor shall also respond in good faith to any reasonable requests for further information, or follow-up information after report to County, when such request is made by County.
9. Contractor shall bear all expense or other costs associated with the Breach and shall reimburse County for all expenses County incurs in addressing the Breach and consequences thereof, including costs of investigation, notification, remediation, documentation or other costs associated with addressing the Breach.
Appears in 1 contract