Model Business Associate Agreement Template Page 6
ADVERTISEMENT
1
2
3
4
5
6
7
8
9
10date of discovery of a HIPAA Breach.
In addition to the foregoing and
notwithstanding anything to the contrary herein, Business Associate will also
comply with applicable state law, including without limitation, Section 521 Texas
nd
Business and Commerce Code, as amended by HB 300 (82
Legislature), or such
other laws or regulations as may later be amended or adopted. In the event of any
conflict between this Section 8.1, the Confidentiality Requirements, Section 521 of
the Texas Business and Commerce Code, and any other later amended or adopted
laws or regulations, the most stringent requirements shall govern.
8.2
Discovery of Breach. Business Associate will, following the
discovery of a HIPAA Breach, notify Covered Entity without unreasonable delay
and in no event later than the earlier of the maximum of time allowable under
applicable law or three (3) business days after Business Associate discovers such
HIPAA Breach, unless Business Associate is prevented from doing so by 45 C.F.R.
§164.412 concerning law enforcement investigations. For purposes of reporting a
HIPAA Breach to Covered Entity, the discovery of a HIPAA Breach shall occur as
of the first day on which such HIPAA Breach is known to the Business Associate or,
by exercising reasonable diligence, would have been known to the Business
Associate. Business Associate will be considered to have had knowledge of a
HIPAA Breach if the HIPAA Breach is known, or by exercising reasonable
diligence would have been known, to any person (other than the person committing
the HIPAA Breach) who is an employee, officer or other agent of the Business
Associate.
8.3
Reporting a Breach. Without unreasonable delay and no later than
the earlier of the maximum of time allowable under applicable law or five (5)
business days following a HIPAA Breach, Business Associate shall provide Covered
Entity with sufficient information to permit Covered Entity to comply with the
HIPAA Breach notification requirements set forth at 45 C.F.R. § 164.400 et seq.
Specifically, if the following information is known to (or can be reasonably obtained
by) the Business Associate, Business Associate will provide Covered Entity with:
(i)
contact information for individuals who were or who may have been
impacted by the HIPAA Breach (e.g., first and last name, mailing address,
street address, phone number, email address);
(ii)
a brief description of the circumstances of the HIPAA Breach, including
the date of the HIPAA Breach and date of discovery;
(iii)
a description of the types of unsecured PHI involved in the HIPAA Breach
(e.g., names, social security number, date of birth, addressees), account
numbers of any type, disability codes, diagnostic and/or billing codes and
similar information);
(iv)
a brief description of what the Business Associate has done or is doing to
investigate the HIPAA Breach, mitigate harm to the individual impacted
by the HIPAA Breach, and protect against future HIPAA Breaches; and
THSA– Model Business Associate Agreement
Page 6
ADVERTISEMENT
0 votes
Related Articles
Related forms
Related Categories
Parent category: Business