Common use of Reporting of Improper Use or Disclosure, Security Incident or Breach Clause in Contracts

Reporting of Improper Use or Disclosure, Security Incident or Breach. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI or Security Incident, immediately and in any event no more than five (5) business days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of Unsuccessful Security Incidents. In connection with any improper use or disclosure, Security Incident or Breach, Business Associate shall conduct and document a risk assessment, in accordance with the HIPAA Rules, of such unauthorized use or disclosure and provide Covered Entity with a copy of such risk assessment upon a Covered Entity’s request. Covered Entity, in its sole and absolute discretion, may elect to delegate to Business Associate the requirement under the HIPAA Rules to notify affected Individuals of a Breach of Unsecured Protected Health Information if such Breach results from, or is related to, an act or omission of Business Associate or the agents, subcontractors or representatives of Business Associate. If Covered Entity elects to make such a delegation, Business Associate shall perform such notifications and undertake all related remediation activities that are reasonably required (i) at Business Associate’s sole cost and expense, and (ii) in compliance with all applicable requirements, including the HIPAA Rules. Business Associate shall also provide Covered Entity with the opportunity, in advance, to review and approve of the form and content of any such Breach notification that Business Associate provides to Individuals.

Reporting of Improper Use or Disclosure, Security Incident or Breach. Business Associate shall report to Covered Entity Customer any use or disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI or Security IncidentIncident experienced by Business Associate or a(n) agent or subcontractor of Business Associate, immediately without unreasonable delay, and in any event no more than five (5) business days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity Customer of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Customer by Business Associate shall be required only upon request. “Unsuccessful Security Incidents. In connection with ” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any improper use or disclosurecombination of the above, Security Incident or Breachso long as no such incident results in unauthorized access, Business Associate shall conduct and document a risk assessment, in accordance with the HIPAA Rules, of such unauthorized use or disclosure of PHI. Business Associate’s notification to Customer of a Breach shall include: (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during the Breach; and provide Covered Entity with a copy of such risk assessment upon a Covered Entity’s request. Covered Entity, (ii) any particulars regarding the Breach that Customer would need to include in its sole and absolute discretionnotification, may elect to delegate to Business Associate as such particulars are identified in 45 C.F.R. § 164.404. In the requirement under the HIPAA Rules to notify affected Individuals case of a Breach of Unsecured Protected Health Information if such Breach results from, or is related to, an act or omission PHI in the custody and control of Business Associate or the agents, subcontractors a(n) agent or representatives subcontractor of Business Associate. If Covered Entity elects to make such a delegation, Business Associate shall perform such notifications pay all reasonable costs (including legal, mailing, labor, administrative costs, vendor charges, and undertake all related remediation activities that are reasonably required other reasonable costs), losses, penalties, fines, and liabilities arising from or associated with the Breach, including without limitation, the costs of Business Associate’s, the Customer’s, and Customer’s health plan’s actions taken to: (i) at Business Associate’s sole cost and expensenotify the affected Individual(s) of, and to respond to, the Breach; (ii) in compliance with all applicable requirementsmitigate harm to the affected Individual(s); (iii) respond to questions or requests for information about the Breach; and (iv) pay fines, including damages or penalties assessed against the HIPAA Rules. Customer, its health plan(s), or Business Associate shall also provide Covered Entity with the opportunity, in advance, to review and approve on account of the form and content Breach of any such Breach notification that Business Associate provides to IndividualsUnsecured PHI.