|
3.9.2 Reporting of Breach of Unsecured PHI. BA shall notify CE within thirty (30) calendar days following the
<br />discovery of a suspected or actual Breach of Unsecured PHI. A suspected or actual Breach shall be treated as
<br />discovered by BA as of the first day on which the Breach is known, or, by exercising reasonable diligence would have
<br />been known, to the BA. If a delay is requested by a law enforcement official in accordance with 45 C.F.R. § 164.412,
<br />BA may delay notifying CE for the applicable period of time .
<br />3.9.3 Content of Notice. The notice of unauthorized Use or Disclosure, or of Breach of Unsecured PHI, shall
<br />include:
<br />(a) To the extent possible, the identification of each Individual whose Unsecured PHI has been, or is reasonably
<br />believed by BA to have been improperly accessed, acquired, Used or Disclosed;
<br />(b) Information related to the unauthorized person or persons who impermissibly Used the PHI or to whom the
<br />improper Disclosure was made, and whether the PHI was actually acquired or viewed;
<br />(c) The nature of the Breach or other non-permitted Use or Disclosure, including a brief description of what
<br />happened, the date of the non -permitted Use or Disclosure or Breach and the date of discovery;
<br />(d) A description of the types of Unsecured PHI that were involved in the non-permitted Use or Disclosure or Breach,
<br />including the nature of services , types of identifiers , and the likelihood of re-identification, including whether full name, social
<br />security number, credit card number, date of birth, home address, account number, diagnosis, medication, treatment plan, or
<br />other information were involved ;
<br />(e) The corrective or investigative action BA took or will take to prevent further non-permitted Uses or Disclosures, to
<br />protect against future Breaches, and the extent to which the risk to the PHI has been mitigated;
<br />(ij Any details necessary for CE to conduct a risk assessment to determine the probability that the PHI believed to
<br />have been improperly accessed, acquired, Used or Disclosed has been compromised and the steps the affected Individuals
<br />should take to protect themselves; and
<br />(g) Such other information, including a written report , as CE may reasonably request.
<br />3.9.4 Costs of Breach Notification and Mitigation. BA shall, at its own cost and expense, mitigate to the extent practicable,
<br />any harmful effects known to BA of any Use or Disclosure of PHI in violation of the requirements of this Agreement. To the
<br />extent that CE determines that the Breach notification requirements of the HIPAA Rules are triggered by a Breach of Unsecured
<br />PHI, as described in Section 4.3 below, BA shall reimburse CE for all reasonable and necessary costs related to such
<br />notifications.
<br />3.9.5 Security Incidents. BA will report to CE any attempted or successful unauthorized access, Use, Disclosure,
<br />modification, or destruction of Electronic Protected Health Information provided by CE or interference with BA's system
<br />operations in BA's information system of which BA becomes aware. The Parties acknowledge that probes and
<br />reconnaissance scans are commonplace in the industry and, as such, the Parties acknowledge and agree that , to the
<br />extent such probes and reconnaissance scans constitute Security Incidents, this Section 3.9 .5 constitutes notice by BA
<br />to CE of the ongoing existence and occurrence of such Security Incidents for which no additional notice to CE shall be
<br />required, as long as such probes and reconnaissance scans do not result in unauthorized access, Use, or Disclosure
<br />of PHI. Probes and reconnaissance scans include, without limitation, pings and other broadcast attacks on BA's
<br />firewall, port scans, and unsuccessful log-on attempts that do not result in unauthorized access, Use or Disclosure of
<br />PHI.
<br />3.9.6 State Law Requirements. In the event BA has an independent notification obligation related to
<br />impermissible Use or Disclosure of PHI in connection with this Agreement or the Services Agreement, BA shall
<br />promptly notify CE of such obligation and, at least five (5) business days before giving any such notice, BA shall notify
<br />CE of its intent lo provide the required notifications, including any related information required by applicable state law.
<br />3.10 Retention of PHI
<br />FCHN-PRO-042016 20
|