Under breach notification it is optional to add:
[The parties may wish to add additional specificity regarding the breach notification obligations of the business associate, such as a stricter time frame for the business associate to report a potential breach to the covered entity and/or whether the business associate will handle breach notifications to individuals, the HHS Office for Civil Rights (OCR), and potentially the media, on behalf of the covered entity.]
I outlined mine. and included specific information regarding notifications (procedures) Specific time frames are in my compliance plan.