Common use of Reporting of Security Incidents Clause in Contracts

Reporting of Security Incidents. The BA shall track all “Security Incidents” as defined by HIPAA and shall periodically report such security incidents in summary fashion as may be requested by FHKC, but not less than annually within sixty (60) days of each anniversary of this Agreement. The BA shall reasonably use its own vulnerability assessment of damage potential and monitoring to define levels of Security Incidents and responses for BA’s operations. However, the BA shall expediently notify FHKC’s Privacy Officer of any “Security Incident” which would constitute a “Security Event” as defined by this Agreement, including any “breach of the security of the system" under section 817.5681, Florida Statutes, in a preliminary report within two (2) business days, with a full report of the incident not less than five (5) business days of the time it became aware of the incident. The BA shall likewise notify FHKC in a preliminary report within two (2) business days of any unauthorized acquisition including but not limited to internal user access to non-test records reported to BA’s privacy manager, and any use, disclosure, modification, or destruction of PHI by an employee or otherwise authorized user of its system of which it becomes aware with a full report of the incident not less than five (5) business days from the time it became aware of the incident. BA shall identify in writing key contact persons for administration, data processing, marketing, information systems and audit reporting within thirty (30) days of the execution of this Agreement. BA shall notify FHKC of any reduction of in-house staff during the term of this Agreement, in writing, within ten (10) business days. BA will adhere to all Privacy and Security provisions in the HITECH Act as passed as part of the American Recovery and Reinvestment Act of 2009 (“ARRA”) under Sections 13401 and 13404. BA shall notify each individual whose Unsecured Protected Health Information has been or is reasonably believed by the BA to have been accessed, acquired, used, or disclosed as a result of a breach, except when law enforcement requires a delay pursuant to 45 CFR 164.412. BA shall notify such individuals without unreasonable delay, and in no case later than sixty (60) days after discovery of the breach, as follows:  By written notice in plain language including, to the extent possible: o A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; o A description of the types of Unsecured Protected Health Information involved in the breach (including but not limited to items such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); o Any steps individuals should take to protect themselves from potential harm resulting from the breach; o A brief description of what BA and FHKC are doing to investigate the breach, to mitigate the harm to individuals, and to protect against further breaches; and o Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, website or postal address.  BA must use a method of notification that meets the requirements of 45 CFR 164.404(d).  BA must provide notice to the media when required under 45 CFR 164.406, and to HHS pursuant to 45 CFR 164.408.

Reporting of Security Incidents. The BA shall track all “Security Incidents” as defined by HIPAA Incidents and shall periodically report such security incidents Security Incidents in summary fashion as may be requested by FHKC, but not less than annually within sixty (60) days of each anniversary of this Agreement. The BA shall reasonably use its own vulnerability assessment of damage potential and monitoring to define levels of Security Incidents and responses for BA’s operations. However, the BA shall expediently notify FHKC’s Privacy Officer of any “Security Incident” which would constitute a “Security Event” as defined by this Agreement, including any “breach Breach of the security of the system" Security under section 817.5681501.171, Florida Statutes, in a preliminary report within two (2) business days, with a full report of the incident not less than five (5) business days of the time it became aware of the incident. The BA shall likewise notify FHKC in a preliminary report within two (2) business days of any unauthorized acquisition Access or acquisition, including but not limited to internal user access Access to non-test records reported to BA’s privacy manager, and any useUse, disclosureDisclosure, modification, or destruction of PHI by an employee or otherwise authorized user of its system of which it becomes aware with a full report of the incident not less than five (5) business days from the time it became aware of the incident. BA shall identify in writing key contact persons for administration, data processing, marketing, information systems and audit reporting within thirty (30) days of the execution of this Agreement. BA shall notify FHKC of any reduction of in-house staff during the term of this Agreement, in writing, within ten (10) business days. BA will adhere to all Privacy and Security provisions in the HITECH Act as passed as part of the American Recovery and Reinvestment Act of 2009 (“ARRA”) under Sections 13401 and 13404. BA shall notify each individual whose Unsecured Protected Health Information has been or is reasonably believed by the BA to have been accessed, acquired, used, or disclosed as a result of a breach, except when law enforcement requires a delay pursuant to 45 CFR 164.412. BA shall notify such individuals without unreasonable delay, and in no case later than sixty (60) days after discovery of the breach, as follows:  By written notice in plain language including, to the extent possible: o A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; o A description of the types of Unsecured Protected Health Information involved in the breach (including but not limited to items such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); o Any steps individuals should take to protect themselves from potential harm resulting from the breach; o A brief description of what BA and FHKC are doing to investigate the breach, to mitigate the harm to individuals, and to protect against further breaches; and o Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, website or postal address.  BA must use a method of notification that meets the requirements of 45 CFR 164.404(d).  BA must provide notice to the media when required under 45 CFR 164.406, and to HHS pursuant to 45 CFR 164.408.