Common use of Breach Notification Requirements Clause in Contracts

Breach Notification Requirements. 5.1 With respect to any Breach, the Covered Entity shall notify each individual whose Unsecured Protected Health Information has been, or is reasonably believed by the Covered Entity to have been, accessed, acquired, used, or disclosed as a result of such Breach, except when law enforcement requires a delay pursuant to 45 CFR §164.412: 5.1.1 Without unreasonable delay and in no case later than 60 days after discovery of a Breach. 5.1.2 By notice in plain language including and to the extent possible: 5.1.2.1 A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; 5.1.2.2 A description of the types of Unsecured Protected Health Information that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); 5.1.2.3 Any steps individuals should take to protect themselves from potential harm resulting from the Breach; 5.1.2.4 A brief description of what the Covered Entity involved is doing to investigate the Breach, to mitigate harm to individuals, and to protect against any further Breaches; and 5.1.2.5 Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web site, or postal address. 5.1.3 Use a method of notification that meets the requirements of 45 CFR §164.404(d). 5.1.4 Provide notice to the media when required under 45 CFR §164.406 and to the Secretary pursuant to 45 CFR §164.408.

Breach Notification Requirements. 5.1 With respect to any Breach, the Covered Entity shall notify each individual whose Unsecured Protected Health Information PHI has been, or is reasonably believed by the Covered Entity to have been, accessed, acquired, used, or disclosed as a result of such Breach, except when law enforcement requires a delay pursuant to 45 CFR §164.412. This notice shall be: 5.1.1 a. Without unreasonable delay and in no case later than 60 calendar days after discovery of a Breach. 5.1.2 By notice in b. In plain language including and to the extent possible: 5.1.2.1 1) A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; 5.1.2.2 2) A description of the types of Unsecured Protected Health Information PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); 5.1.2.3 3) Any steps individuals Individuals should take to protect themselves from potential harm resulting from the Breach; 5.1.2.4 4) A brief description of what the Covered Entity involved and/or Business Associate is doing to investigate the Breach, to mitigate harm to individualsIndividuals, and to protect against any further Breaches; and, 5.1.2.5 5) Contact procedures for individuals Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web site, or postal address. 5.1.3 Use c. By a method of notification that meets the requirements of 45 CFR §164.404(d). 5.1.4 Provide notice d. Provided to the media when required under 45 CFR §164.406 and to the Secretary pursuant to 45 CFR §164.408.