Common use of Reporting of Disclosures of PHI Clause in Contracts

Reporting of Disclosures of PHI. Business Associate shall report to Covered Entity within forty-eight (48) hours any Security Incident, Security Breach or use or disclosure of PHI in violation of this BAA of which it becomes aware. A Security Breach/Incident will be considered “discovered” by Busines Associate as of the first day on which such Breach/Security Incident is known to Business Associate (including any person, other than the individual committing the Breach/Incident, that is an employee, officer, or other agent of Business Associate), or should reasonably have been known to Business Associate to have occurred. Business Associate’s initial reports to Covered Entity regarding Security Breaches/Incidents shall include the identification of each Individual whose unsecured PHI (as defined under ARRA and the HIPAA Standards) has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach/Incident, the type of PHI accessed, acquired or disclosed, as well as any other information required by law. Business Associate shall take prompt corrective action to cure any deficiencies and will take any action pertaining to such Security Breach/Incident required by applicable federal and state laws and regulations and as directed by Covered Entity. Business Associate will provide a written report to Covered Entity within ten (10) calendar days of the discovery of any use or disclosure of Covered Entity’s PHI not permitted by this Agreement, and such report shall describe in detail: (i) the actions taken by Business Associate to mitigate any harmful effect of the unauthorized use or disclosures and

Reporting of Disclosures of PHI. Business Associate shall report to Covered Entity within forty-eight (48) hours any Security Incident, Security Breach or use or disclosure of PHI in violation of this BAA Agreement of which it becomes aware. A Security Breach/Incident will be considered “discovered” by Busines Associate Noteworthy as of the first day on which such Breach/Security Incident is known to Business Associate (including any person, other than the individual committing the Breach/Incident, that is an employee, officer, or other agent of Business Associate), or should reasonably have been known to Business Associate to have occurred. Business Associate’s initial reports to Covered Entity regarding Security Breaches/Incidents shall include the identification of each Individual whose unsecured PHI (as defined under ARRA and the HIPAA Standards) has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach/Incident, as well as the type of PHI accessed, acquired or disclosed, as well as any other information required by law. Business Associate shall take prompt corrective action to cure any deficiencies and will take any action pertaining to such Security Breach/Incident required by applicable federal and state laws and regulations and as directed by Covered Entityregulations. Business Associate will provide a written report to Covered Entity within ten fifteen (1015) calendar days of the discovery of any use or disclosure of Covered Entity’s PHI not permitted by this Agreement, and such report shall describe in detail: (i) the actions taken by Business Associate to mitigate any harmful effect of the unauthorized use or disclosures and

Reporting of Disclosures of PHI. Business Associate shall report to Covered Entity within forty-eight twenty (4820) hours days any Security Incident, Security Breach or use or disclosure of PHI in violation of this BAA Agreement of which it becomes aware. A Security Breach/Security Incident will be considered “discovered” by Busines Associate as of the first day on which such Breach/Security Incident is known to Business Associate (including any person, other than the individual committing the Breach/Incident, that is an employee, officer, or other agent of Business Associate), or should reasonably have been known to Business Associate to have occurred. Business Associate’s initial reports to Covered Entity regarding Security Breaches/Security Incidents shall include the identification of each Individual whose unsecured PHI (as defined under ARRA and the HIPAA Standards) has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach/Incident, as well as the type of PHI accessed, acquired or disclosed, as well as any other information required by law. Business Associate shall take prompt corrective action to cure and mitigate any deficiencies and will take any action pertaining to such Security Breach/Security Incident required by applicable federal and state laws and regulations and as directed by Covered Entityregulations. Business Associate will provide a written report to Covered Entity within ten thirty (1030) calendar days of the discovery of any use or disclosure of Covered Entity’s PHI not permitted by this AgreementAgreement and the Privacy Standards, and such report shall describe in detail: (i) the actions taken by Business Associate to mitigate any harmful effect of the unauthorized use or disclosures andand (ii) what corrective action Business Associate has taken or shall take to prevent future similar unauthorized use or disclosure. To the extent Business Associate coordinates and assists Covered Entity in providing notice of the Breach/ Security Incident to Individuals, Business Associate agrees to do so in accordance with the Breach Standards including without limitation regarding timeliness, content and recipients of such notice.