Content of Report. Notification to CE of a Breach shall include, at a minimum, the following: 7.2.1 A brief description of what happened, including the date of the incident and the date of the discovery of the incident, if known; 7.2.2 A description of the types of Unsecured PHI that were involved in the incident (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information) and that were or are reasonably believed by BA to have been impermissibly accessed, acquired, used or disclosed; 7.2.3 A fact-specific and detailed risk assessment of whether the incident poses a significant risk of financial, reputational, or other harm to the individual whose Unsecured PHI has been (or is reasonable believed by BA to have been) acquired, accessed, used or disclosed; 7.2.4 Identification of the Individuals whose Unsecured PHI has been, or is reasonably believed by BA to have been, accessed, acquired, used or disclosed; 7.2.5 Any steps Individuals should take to protect themselves from potential harm resulting from the incident; 7.2.6 A brief description of what BA is doing to investigate the incident, to mitigate harm to Individuals, and to protect against any further incidents; and 7.2.7 Any other information reasonably requested by CE to be included in the report.
Appears in 2 contracts
Sources: Business Associate Agreement, Business Associate Agreement