Business Associate Agreement Page 6
ADVERTISEMENT
1
2
3
4
5
6
7
8V.
Breaches and Security Incidents
5.1
Privacy or Security Breach. Business Associate will report to Covered Entity any use or
disclosure of Covered Entity’s Protected Health Information not permitted by this BA Contract
along with any Breach of Covered Entity’s Unsecured Protected Health Information. Business
Associate will treat the Breach as being discovered in accordance with 45 CFR § 164.410.
Business Associate will make the report to Covered entity’s Privacy Official or other corporate
contract within 60 calendar days after Business Associate learns of such non-permitted use or
disclosure. If a delay is requested by a law-enforcement official in accordance with 45 CFR §
164.412, Business Associate may delay notifying Covered Entity for the applicable time period.
Business Associate’s report will at least:
(a)
Identify the nature of the breach or other non-permitted use or disclosure, which will
include a brief description of what happened, including the date of any Breach and the
date of the discovery of any Breach;
(b)
Identify Covered Entity’s Protected Health Information that was subject to the non-
permitted use or disclosure or Breach (such as whether full name, social security
number, date of birth, home address, account number or other information were involved)
on an individual basis;
(c)
Identify who made the non-permitted use or disclosure and who received the non-
permitted disclosure;
(d)
Identify what corrective or investigational action Business Associate took or will take to
prevent further non-permitted uses or disclosures, to mitigate harmful effects and to
protect against any further Breaches;
(e)
Identify what steps the individuals who were subject to a Breach should take to protect
themselves;
(f)
Provide such other information, including a written report, as Covered Entity may
reasonably request.
5.2
Security Incidents. Business Associate will report to Covered Entity any successful (A)
unauthorized access, use, disclosure, modification, or destruction of Covered Entity’s Electronic
Protected Health Information or (B) interference with Business Associate’s system operations in
Business Associate’s information systems, of which Business Associate becomes aware.
Business Associate will make this report monthly, except that if any such Security Incident
resulted in a disclosure not permitted by this BA Contract or Breach of Covered Entity’s
Unsecured Protected Health Information, Business Associate will make the report in accordance
with the provisions set forth in the paragraph above.
VI.
Term and Termination
6.1
Term. The Term of this BA Contract shall be effective as of Effective Date, and shall terminate
when all of the Protected Health Information provided by Covered Entity to Business Associate,
or created or received by Business Associate on behalf of Covered Entity, is destroyed or
returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information,
protections are extended to such information, in accordance with the termination provisions in this
Section.
Page 6 of 8
ADVERTISEMENT
0 votes
Related Articles
Related forms
Related Categories
Parent category: Business