Incident Reporting. 6.1.1. Business Associate shall report to Covered Entity the following: 6.1.1.1. Any use or disclosure of PHI which is not in compliance with the terms of this Agreement or applicable law of which it becomes aware; and 6.1.1.2. Any security incident of which it becomes aware. For purposes of this Agreement, “security incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. 6.1.2. Within 24 hours of discovery of a suspected reportable incident as described in 6.1.1 above, Business Associate shall notify Covered Entity of the existence and nature of the incident as understood at that time. Business Associate shall immediately investigate the incident and within 72 hours of discovery shall provide Covered Entity, in writing, a report describing the results of Business Associate’s investigation, including: 6.1.2.1. What data elements were involved, the extent of the data involved in the incident, and the identification of affected individuals, if applicable; 6.1.2.2. A description of the unauthorized persons known or reasonably believed to have improperly used or disclosed PHI, or to have been responsible for the incident; 6.1.2.3. A description of where the PHI is believed to have been improperly transmitted, sent, or utilized, if applicable; 6.1.2.4. A description of the probable causes of the incident; 6.1.2.5. A description of the proposed plan for preventing similar future incidents, including ongoing risk remediation plan approval; and 6.1.2.6. Whether the Associate believes any federal or state laws requiring notifications to individuals are triggered. 6.1.3. Reporting and other communications made to the Covered Entity under this section must be made to the agency’s HIPAA privacy officer at: Ohio Department of Administrative Services Office of Legal Services ▇▇ ▇▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇, ▇▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇▇, ▇▇▇▇ ▇▇▇▇▇ Main: (▇▇▇) ▇▇▇-▇▇▇▇ Direct: (▇▇▇) ▇▇▇-▇▇▇▇ Fax: ▇▇▇.▇▇▇.▇▇▇▇
Appears in 4 contracts
Sources: Business Associate Agreement, Business Associate Agreement, Business Associate Agreement
Incident Reporting. 6.1.1▇.▇.▇. Business ▇▇▇▇▇▇▇▇ Associate shall report to Covered Entity the following:
6.1.1.1. Any use or disclosure of PHI which is not in compliance with the terms of this Agreement or applicable law of which it becomes aware; and
6.1.1.2. Any security incident of which it becomes aware. For purposes of this Agreement, “security incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
6.1.2. Within 24 hours of discovery of a suspected reportable incident as described in in
6.1.1 above, Business Associate shall notify Covered Entity of the existence and nature of the incident as understood at that time. Business Associate shall immediately investigate the incident and within 72 hours of discovery shall provide Covered Entity, in writing, a report describing the results of Business Associate’s investigation, including:
6.1.2.1. What data elements were involved, the extent of the data involved in the incident, and the identification of affected individuals, if applicable;
6.1.2.2. A description of the unauthorized persons known or reasonably believed to have improperly used or disclosed PHI, or to have been responsible for the incident;
6.1.2.3. A description of where the PHI is believed to have been improperly transmitted, sent, or utilized, if applicable;
6.1.2.4. A description of the probable causes of the incident;
6.1.2.5. A description of the proposed plan for preventing similar future incidents, including ongoing risk remediation plan approval; and
6.1.2.6. Whether the Associate believes any federal or state laws requiring notifications to individuals are triggered.
6.1.3. Reporting and other communications made to the Covered Entity under this section must be made to the agency’s HIPAA privacy officer at: Ohio Department of Administrative Services Health Office of Legal Services the Chief Operating Officer ▇▇▇ ▇. ▇▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇, ▇▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇▇, ▇▇▇▇ ▇▇▇▇▇ Main: (▇▇▇) ▇▇▇-▇▇▇▇ Direct: (▇▇▇) ▇▇▇-▇▇▇▇ Fax: ▇▇▇.▇▇▇.▇▇▇▇
Appears in 3 contracts
Sources: Business Associate Agreement, Business Associate Agreement, Business Associate Agreement
Incident Reporting. 6.1.1. Business Associate shall report to Covered Entity DAS the following:: DAS BAA Revised 05/18 2
6.1.1.1. Any use or disclosure of PHI which is not in compliance with the terms of this Agreement or applicable law of which it becomes aware; and
6.1.1.2. Any security incident of which it becomes aware. For purposes of this Agreement, “security incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
6.1.2. Within 24 hours of discovery of a suspected reportable incident as described in 6.1.1 above, Business Associate shall notify Covered Entity of the existence and nature of the incident as understood at that time. Business Associate shall immediately investigate the incident and within 72 hours of discovery shall provide Covered Entity, in writing, a report describing the results of Business Associate’s investigation, including:
6.1.2.1. What data elements were involved, the extent of the data involved in the incident, and the identification of affected individuals, if applicable;
6.1.2.2. A description of the unauthorized persons known or reasonably believed to have improperly used or disclosed PHI, or to have been responsible for the incident;
6.1.2.3. A description of where the PHI is believed to have been improperly transmitted, sent, or utilized, if applicable;
6.1.2.4. A description of the probable causes of the incident;
6.1.2.5. A description of the proposed plan for preventing similar future incidents, including ongoing risk remediation plan approval; and
6.1.2.6. Whether the Associate believes any federal or state laws requiring notifications to individuals are triggered.
6.1.3. Reporting and other communications made to the Covered Entity under this section must be made to the agency’s HIPAA privacy officer at: Ohio Department of Administrative Services Office of Legal Services ▇▇ ▇▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇, ▇▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇▇, ▇▇▇▇ ▇▇▇▇▇ Main: (▇▇▇) ▇▇▇-▇▇▇▇ Direct: (▇▇▇) ▇▇▇-▇▇▇▇ Fax: ▇▇▇.▇▇▇.▇▇▇▇ Email: ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇.▇▇▇▇.▇▇▇
Appears in 2 contracts
Sources: Business Associate Agreement, Business Associate Agreement
Incident Reporting. 6.1.1. Business Associate shall report to Covered Entity DAS the following:
6.1.1.1. Any use or disclosure of PHI which is not in compliance with the terms of this Agreement or applicable law of which it becomes aware; and
6.1.1.2. Any security incident of which it becomes aware. For purposes of this Agreement, “security incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
6.1.2. Within 24 hours of discovery of a suspected reportable incident as described in 6.1.1 above, Business Associate shall notify Covered Entity of the existence and nature of the incident as understood at that time. Business Associate shall immediately investigate the incident and within 72 hours of discovery shall provide Covered Entity, in writing, a report describing the results of Business Associate’s investigation, including:
6.1.2.1. What data elements were involved, the extent of the data involved in the incident, and the identification of affected individuals, if applicable;
6.1.2.2. A description of the unauthorized persons known or reasonably believed to have improperly used or disclosed PHI, or to have been responsible for the incident;
6.1.2.3. A description of where the PHI is believed to have been improperly transmitted, sent, or utilized, if applicable;
6.1.2.4. A description of the probable causes of the incident;
6.1.2.5. A description of the proposed plan for preventing similar future incidents, including ongoing risk remediation plan approval; and
6.1.2.6. Whether the Associate believes any federal or state laws requiring notifications to individuals are triggered.
6.1.3. Reporting and other communications made to the Covered Entity under this section must be made to the agency’s HIPAA privacy officer at: Ohio Department of Administrative Services Office of Legal Services ▇▇ ▇▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇, ▇▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇▇, ▇▇▇▇ ▇▇▇▇▇ Main: (▇▇▇) ▇▇▇-▇▇▇▇ Direct: (▇▇▇) ▇▇▇-▇▇▇▇ Fax: ▇▇▇.▇▇▇.▇▇▇▇ Email: ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇.▇▇▇▇.▇▇▇
Appears in 2 contracts
Sources: Business Associate Agreement, Business Associate Agreement
Incident Reporting. 6.1.1. Business Associate shall report to Covered Entity the following:
6.1.1.1. Any use or disclosure of PHI which is not in compliance with the terms of this Agreement or applicable law of which it becomes aware; and
6.1.1.2. Any security incident of which it becomes aware. For purposes of this Agreement, “security incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
6.1.2. Within 24 hours of discovery of a suspected reportable incident as described in in
6.1.1 above, Business Associate shall notify Covered Entity of the existence and nature of the incident as understood at that time. Business Associate shall immediately investigate the incident and within 72 hours of discovery shall provide Covered Entity, in writing, a report describing the results of Business Associate’s investigation, including:
6.1.2.1. What data elements were involved, the extent of the data involved in the incident, and the identification of affected individuals, if applicable;
6.1.2.2. A description of the unauthorized persons known or reasonably believed to have improperly used or disclosed PHI, or to have been responsible for the incident;
6.1.2.3. A description of where the PHI is believed to have been improperly transmitted, sent, or utilized, if applicable;
6.1.2.4. A description of the probable causes of the incident;
6.1.2.5. A description of the proposed plan for preventing similar future incidents, including ongoing risk remediation plan approval; and
6.1.2.6. Whether the Associate believes any federal or state laws requiring notifications to individuals are triggered.
6.1.36.1.2.6.1. Reporting and other communications made to the Covered Entity under this section must be made to the agency’s HIPAA privacy officer at: Ohio Department of Administrative Services Office of Legal Services ▇▇ ▇▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇, Chief Legal Counsel Ohio Department of Aging ▇▇▇ ▇. ▇▇▇▇ ▇▇▇▇▇▇, ▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇▇, ▇▇▇▇ ▇▇▇▇▇ Main: (▇▇▇) ▇▇▇-▇▇▇▇ Direct: (▇▇▇) ▇▇▇-▇▇▇▇ Fax: ▇▇▇.@▇▇▇.▇▇▇▇.▇▇▇
Appears in 1 contract
Sources: Business Associate Agreement
Incident Reporting. 6.1.15.1.1. Business Associate shall report to Covered Entity the following:
6.1.1.15.1.1.1. Any use or disclosure of PHI which is not in compliance with the terms of this Agreement or applicable law of which it becomes aware; and
6.1.1.25.1.1.2. Any security incident of which it becomes aware. For purposes of this Agreement, “security incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
6.1.25.1.2. Within 24 hours of discovery of a suspected reportable incident as described in 6.1.1 in
5.1.1 above, Business Associate shall notify Covered Entity of the existence and nature of the incident as understood at that time. Business Associate shall immediately investigate the incident and within 72 hours of discovery shall provide Covered Entity, in writing, a report describing the results of Business Associate’s investigation, including:
6.1.2.15.1.2.1. What data elements were involved, the extent of the data involved in the incident, and the identification of affected individuals, if applicable;
6.1.2.25.1.2.2. A description of the unauthorized persons known or reasonably believed to have improperly used or disclosed PHI, or to have been responsible for the incident;
6.1.2.35.1.2.3. A description of where the PHI is believed to have been improperly transmitted, sent, or utilized, if applicable;
6.1.2.45.1.2.4. A description of the probable causes of the incident;
6.1.2.55.1.2.5. A description of the proposed plan for preventing similar future incidents, including ongoing risk remediation plan approval; and
6.1.2.65.1.2.6. Whether the Associate believes any federal or state laws requiring notifications to individuals are triggered.
6.1.35.1.3. Reporting and other communications made to the Covered Entity under this section must be made to the agency’s HIPAA privacy officer at: Ohio Department of Administrative Services Office of Legal Services ▇▇ ▇▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇, ▇▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇▇, ▇▇▇▇ ▇▇▇▇▇ Main: (▇▇▇) ▇▇▇-▇▇▇▇ Direct: (▇▇▇) ▇▇▇-▇▇▇▇ Fax: ▇▇▇.▇▇▇.▇▇▇▇[office name] [phone] [email address] [address]
Appears in 1 contract
Sources: Business Associate Agreement
Incident Reporting. 6.1.15.1.1. Business Associate shall report to Covered Entity the following:
6.1.1.15.1.1.1. Any use or disclosure of PHI which is not in compliance with the terms of this Agreement or applicable law of which it becomes aware; and
6.1.1.25.1.1.2. Any security incident of which it becomes aware. For purposes of this Agreement, “security incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
6.1.25.1.2. Within 24 hours of discovery of a suspected reportable incident as described in in
6.1.1 above, Business Associate shall notify Covered Entity of the existence and nature of the incident as understood at that time. Business Associate shall immediately investigate the incident and within 72 hours of discovery shall provide Covered Entity, in writing, a report describing the results of Business Associate’s investigation, including:
6.1.2.15.1.2.1. What data elements were involved, the extent of the data involved in the incident, and the identification of affected individuals, if applicable;
6.1.2.25.1.2.2. A description of the unauthorized persons known or reasonably believed to have improperly used or disclosed PHI, or to have been responsible for the incident;
6.1.2.35.1.2.3. A description of where the PHI is believed to have been improperly transmitted, sent, or utilized, if applicable;
6.1.2.45.1.2.4. A description of the probable causes of the incident;
6.1.2.55.1.2.5. A description of the proposed plan for preventing similar future incidents, including ongoing risk remediation plan approval; and
6.1.2.65.1.2.6. Whether the Associate believes any federal or state laws requiring notifications to individuals are triggered.
6.1.35.1.3. Reporting and other communications made to the Covered Entity under this section must be made to the agency’s HIPAA privacy officer at: Ohio Department of Administrative Services Office of Legal Services ▇▇ ▇▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇, ▇▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇▇, ▇▇▇▇ ▇▇▇▇▇ Main: (▇▇▇) ▇▇▇-▇▇▇▇ Direct: (▇▇▇) ▇▇▇-▇▇▇▇ Fax: ▇▇▇.▇▇▇.▇▇▇▇[office name] [phone] [email address] [address]
Appears in 1 contract
Sources: Business Associate Agreement
Incident Reporting. 6.1.15.1.1. Business Associate shall report to Covered Entity the following:
6.1.1.15.1.1.1. Any use or disclosure of PHI which is not in compliance with the terms of this Agreement or applicable law of which it becomes aware; and
6.1.1.25.1.1.2. Any security incident of which it becomes aware. For purposes of this Agreement, “security incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
6.1.25.1.2. Within 24 hours of discovery of a suspected reportable incident as described in 6.1.1 in
5.1.1 above, Business Associate shall notify Covered Entity of the existence and nature of the incident as understood at that time. Business Associate shall immediately investigate the incident and within 72 hours of discovery shall provide Covered Entity, in writing, a report describing the results of Business Associate’s investigation, including:
6.1.2.15.1.2.1. What data elements were involved, the extent of the data involved in the incident, and the identification of affected individuals, if applicable;
6.1.2.25.1.2.2. A description of the unauthorized persons known or reasonably believed to have improperly used or disclosed PHI, or to have been responsible for the incident;
6.1.2.35.1.2.3. A description of where the PHI is believed to have been improperly transmitted, sent, or utilized, if applicable;
6.1.2.45.1.2.4. A description of the probable causes of the incident;
6.1.2.55.1.2.5. A description of the proposed plan for preventing similar future incidents, including ongoing risk remediation plan approval; and
6.1.2.65.1.2.6. Whether the Associate believes any federal or state laws requiring notifications to individuals are triggered.
6.1.35.1.3. Reporting and other communications made to the Covered Entity under this section must be made to the agency’s HIPAA privacy officer at: Ohio Department of Administrative Services Office of Legal Services Human Resources ▇▇▇-▇▇▇-▇▇▇▇ ▇▇▇▇▇▇▇.▇▇▇▇▇▇▇@▇▇▇.▇▇▇▇.▇▇▇ ▇▇ ▇▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇., ▇▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇▇, ▇▇▇▇ ▇▇▇▇▇ Main: (▇▇▇) ▇▇▇-▇▇▇▇ Direct: (▇▇▇) ▇▇▇-▇▇▇▇ Fax: ▇▇▇.▇▇▇.▇▇▇▇
Appears in 1 contract
Sources: Business Associate Agreement