Reporting Duties. Business Associate shall report to the Department any security incident or use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including breaches of unsecured PHI as required at 45 C.F.R. § 164.410, within two (2) days of Business Associate’s discovery of such incident. The report must include the following information, to the extent known: (1) Description of the incident; (2) Date of the incident and the date the incident was discovered; (3) Description of the type of PHI involved; (4) Identification of who received PHI; (5) Identification of the individuals whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the incident; (6) Steps Business Associate or its subcontractor or agents are taking to investigate the incident and prevent continuing or further incidents; and (7) Any other information requested by the Department.
Appears in 2 contracts