Common use of Content of Notification Clause in Contracts

Content of Notification. The notification required by Paragraph C.1 shall include, to the extent possible, all information required to provide notification to the Individual under 45 CFR Section 164.404(c), including but not limited to:32 a. The identification of each Individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been accessed, acquired, used, or disclosed during the Breach; b. The date of the Breach and the date of the discovery of the Breach, if known; c. The scope of the Breach; d. A description of the types of Unsecured PHI that were involved in the Breach; and e. The Business Associate’s response to the Breach. In the event of a Breach, Business Associate shall, in consultation with Covered Entity, mitigate, to the extent practicable, any harmful effect of such Breach known to the Business Associate. Although HITECH does not require the business associate to notify the individuals affected by the breach, California Civil Code Section 1798.82 requires any person or business in California to report security breaches of unencrypted computerized personal data to the individuals affected. Personal data refers to a client/tenant's first name or first initial and last name, in combination with his or her social security number, driver's license or California Identification Card number, credit card information, medical information, and health insurance information. Cal. Civ. Code § 1798.82(h). Business associates should familiarize themselves with the notification requirements of the California law. 31 HIPAA requires the notification to be made without unreasonable delay and in no case later than sixty calendar days after discovery of a breach. 45 CFR § 164.410(b). A breach is considered discovered by the business associate on the first day on which the breach is known or, through reasonable diligence, would have been known, to an employee, officer, or other agent of the business associate, other than the person committing the breach. 45 CFR 164.410(a)(2). The covered entity may wish to specify a time by which notification must be made. A business associate should negotiate with the covered entity to establish a reasonable time frame for notice. A business associate has the burden of demonstrating proper notification to the covered entity of any and all breaches of unsecured PHI. 45 CFR § 164.414(b). Therefore, a supportive housing provider must retain accurate records of breaches and notifications. 32 As discussed earlier, the covered entity is required to notify individuals affected by any breach of unsecured PHI. See 45 CFR § 164.404. In turn, HIPAA requires the business associate to provide sufficient information to the covered entity in the case of a breach to allow the covered entity to fulfill its own notification responsibilities. 45 CFR § 164.410(c).