Common use of DIR Personal Data Clause in Contracts

DIR Personal Data. In addition to the provisions of S ections 13.1 and 1 3.2, the following privacy and data protection provisions shall apply to DIR Personal Data. (a) Service Provider shall hold any DIR Personal Data that it receives in confidence and in compliance with (i) Service Provider's obligations under this Agreement, the Exhibits and Attachments hereto and the Service Management Manual and (ii) subject to Section 15.12, all Laws regarding its use of and access to such DIR Personal Data. (b) Service Provider agrees that Service Provider and Service Provider Personnel shall not use any DIR Personal Data for any purpose other than the fulfillment of the terms and conditions of this Agreement. Service Provider shall not process or disseminate DIR Personal Data to any third party or transfer DIR Personal Data without the approval of DIR unless expressly provided for in this Agreement. Service Provider shall take appropriate action to cause: (i) Any Service Provider Personnel who have access to DIR Personal Data pursuant to this Agreement to be advised of, and comply with, the terms and conditions of this Section 13.3; and (ii) Any Service Provider Personnel who have access to DIR Personal Data to be trained regarding their handling of such DIR Personal Data. Service Provider shall be responsible for any failure of Service Provider Personnel to comply with the terms and conditions regarding DIR Personal Data set forth in this Section 13.3. (c) When interfacing with DIR or the applicable DIR Customer regarding DIR Personal Data, Service Provider shall only disclose or transmit DIR Personal Data to those DIR or DIR Customer employees and DIR Contractors authorized by the DIR Managed Applications Services Manager or identified in the Service Management Manual. (d) With respect to Personal Medical Data, Service Provider shall not need to obtain authorizations from the persons to whom such Personal Medical Data pertains unless DIR determines that such authorizations are necessary and advises Service Provider to obtain such authorization. In such case, Service Provider agrees to reasonably assist DIR or the applicable DIR Customer in obtaining an authorization, or in confirming that such authorization has been obtained, from each person before viewing any Personal Medical Data of such person contained in DIR's files or systems. The authorization form to be used for this purpose shall be provided by DIR. (e) With respect to Personal Medical Data, a person may request to inspect, copy, amend and restrict disclosure of his or her Personal Medical Data when and as permitted by Law. Any such requests that are received by Service Provider shall be directed to, and any actions required shall be determined by, DIR. (f) DIR shall notify Service Provider of any: (i) Limitation in any privacy notice used by DIR to the extent that such limitation may affect Service Provider's use or disclosure of DIR Personal Data; and (ii) Restriction on the use or disclosure of DIR Personal Data to which DIR agreed to the extent that such restriction may affect Service Provider's use or disclosure of such DIR Personal Data. Service Provider agrees to promptly implement any such limitation or restriction as directed by DIR. (g) If Service Provider has knowledge of any unauthorized disclosure of or access to DIR Personal Data, Service Provider shall: (i) Expeditiously report such unauthorized disclosure or access to DIR, (ii) Mitigate, to the extent practicable, any harmful effect of such disclosure or access that is known to Service Provider or its agents, and (iii) Cooperate with DIR in providing any notices regarding impermissible disclosures caused by such disclosure or access which DIR deems appropriate. To the extent such unauthorized disclosure or access is attributable to a breach by Service Provider or Service Provider Personnel of Service Provider's obligations under this Agreement with respect to DIR Personal Data, Service Provider shall bear (A) the costs incurred by Service Provider in complying with its legal obligations relating to such breach and (B) in addition to any other damages for which Service Provider may be liable for under this Agreement (except to the extent such disclosure is due to DIR's failing to provide (including through authorization to provide as part of the Services) the level of encryption required under applicable Law to protect such Data), the following costs incurred by DIR or the DIR Customer in complying with their legal obligations relating to such breach, to the extent applicable, (1) the cost of providing notice to affected individuals, (2) where such breach results in the potential for exposure of personal credit (e.g. social security number) or financial account information the cost of providing such affected individuals with credit monitoring services for twelve (12) months, (3) the cost of providing such affected individuals with $50,000 of identity theft insurance, and (4) call center support for such affected individuals for thirty (30) days and (5) any other Losses for which Service Provider would be liable under S ections 17.1(d) and 1 8.3(c)(v). (h) As reasonably requested by DIR, Service Provider shall deliver to DIR all or any specified Personal Medical Data in the format and on the media reasonably prescribed by DIR and promptly deliver such Data to DIR or a designated DIR Contractor. (i) With respect to Personal Medical Data constituting "protected health information" ("PHI"), as such term is defined by the HIPAA Privacy Rule, Service Provider shall: (i) Subject to Section 15.11, implement the technical, organizational and security measures, including administrative, physical and technical safeguards, to protect the confidentiality, integrity and availability of Personal Medical Data constituting electronic PHI ("ePHI") created, received, maintained or transmitted by Service Provider or Service Provider Personnel in compliance with the HIPAA Security Rule. Service Provider shall cause any Service Provider Personnel who have access to ePHI to agree in writing to protect the confidentiality, integrity and availability of ePHI as required by the HIPAA Security Rule. Service Provider shall expeditiously report to DIR any successful unauthorized access, use, disclosure, modification or destruction of ePHI or interference with system operations in an information system containing PHI of which Service Provider becomes aware: (A) such reports shall be provided only as frequently as the Parties mutually agree, but no more than once per calendar quarter, and (B) if the HIPAA Security Rule is amended to remove the requirement for reporting "unsuccessful" attempts to use, disclose, modify or destroy ePHI from the definition of "Security Incident," this paragraph shall no longer apply as of the effective date of such amendment. For purposes of this provision, "Security Incident" shall have the meaning given in HIPAA Security Regulations, 45 CFR Part 164, as such regulations may be amended from time to time.

DIR Personal Data. ‌ In addition to the provisions of S ections Sections 13.1 and 1 3.213.2, the following privacy and data protection provisions shall apply to DIR Personal Data. (a) Service Provider shall hold any DIR Personal Data that it receives in confidence and in compliance with (i) Service Provider's obligations under this Agreement, the Exhibits and Attachments hereto and the Service Management Manual and (ii) subject to Section 15.1215.11, all Laws regarding its use of and access to such DIR Personal Data. (b) Service Provider agrees that Service Provider and Service Provider Personnel shall not use any DIR Personal Data for any purpose other than the fulfillment of the terms and conditions of this Agreement. Service Provider shall not process or disseminate DIR Personal Data to any third party or transfer DIR Personal Data without the approval of DIR unless expressly provided for in this Agreement. Service Provider shall take appropriate action to cause: (i) Any Service Provider Personnel who have access to DIR Personal Data pursuant to this Agreement to be advised of, and comply with, the terms and conditions of this Section 13.3; and (ii) Any Service Provider Personnel who have access to DIR Personal Data to be trained regarding their handling of such DIR Personal Data. Service Provider shall be responsible for any failure of Service Provider Personnel to comply with the terms and conditions regarding DIR Personal Data set forth in this Section 13.3. (c) When interfacing with DIR or the applicable DIR Customer regarding DIR Personal Data, Service Provider shall only disclose or transmit DIR Personal Data to those DIR or DIR Customer employees and DIR Contractors authorized by the DIR Managed Applications Data Center Services Manager or identified in the Service Management Manual. (d) With respect to Personal Medical Data, Service Provider shall not need to obtain authorizations from the persons to whom such Personal Medical Data pertains unless DIR determines that such authorizations are necessary and advises Service Provider to obtain such authorization. In such case, Service Provider agrees to reasonably assist DIR or the applicable DIR Customer in obtaining an authorization, or in confirming that such authorization has been obtained, from each person before viewing any Personal Medical Data of such person contained in DIR's files or systems. The authorization form to be used for this purpose shall be provided by DIR. (e) With respect to Personal Medical Data, a person may request to inspect, copy, amend and restrict disclosure of his or her Personal Medical Data when and as permitted by Law. Any such requests that are received by Service Provider shall be directed to, and any actions required shall be determined by, DIR. (f) DIR shall notify Service Provider of any: (i) Limitation in any privacy notice used by DIR to the extent that such limitation may affect Service Provider's use or disclosure of DIR Personal Data; and (ii) Restriction on the use or disclosure of DIR Personal Data to which DIR agreed to the extent that such restriction may affect Service Provider's use or disclosure of such DIR Personal Data. Service Provider agrees to promptly implement any such limitation or restriction as directed by DIR. (g) If Service Provider has knowledge of any unauthorized disclosure of or access to DIR Personal Data, Service Provider shall: (i) Expeditiously report such unauthorized disclosure or access to DIR, (ii) Mitigate, to the extent practicable, any harmful effect of such disclosure or access that is known to Service Provider or its agents, and (iii) Cooperate with DIR in providing any notices regarding impermissible disclosures caused by such disclosure or access which DIR deems appropriate. To the extent such unauthorized disclosure or access is attributable to a breach by Service Provider or Service Provider Personnel of Service Provider's obligations under this Agreement with respect to DIR Personal Data, Service Provider shall bear (A) the costs incurred by Service Provider in complying with its legal obligations relating to such breach and (B) in addition to any other damages for which Service Provider may be liable for under this Agreement (except to the extent such disclosure is due to DIR's failing to provide (including through authorization to provide as part of the Services) the level of encryption required under applicable Law to protect such Data), the following costs incurred by DIR or the DIR Customer in complying with their legal obligations relating to such breach, to the extent applicable, (1) the cost of providing notice to affected individuals, (2) where such breach results in the potential for exposure of personal credit (e.g. social security number) or financial account information the cost of providing such affected individuals with credit monitoring services for twelve (12) months, (3) the cost of providing such affected individuals with $50,000 of identity theft insurance, and (4) call center support for such affected individuals for thirty (30) days and (5) any other Losses for which Service Provider would be liable under S ections 17.1(d) and 1 8.3(c)(v). (h) As reasonably requested by DIR, Service Provider shall deliver to DIR all or any specified Personal Medical Data in the format and on the media reasonably prescribed by DIR and promptly deliver such Data to DIR or a designated DIR Contractor. (i) With respect to Personal Medical Data constituting "protected health information" ("PHI"), as such term is defined by the HIPAA Privacy Rule, Service Provider shall: (i) Subject to Section 15.11, implement the technical, organizational and security measures, including administrative, physical and technical safeguards, to protect the confidentiality, integrity and availability of Personal Medical Data constituting electronic PHI ("ePHI") created, received, maintained or transmitted by Service Provider or Service Provider Personnel in compliance with the HIPAA Security Rule. Service Provider shall cause any Service Provider Personnel who have access to ePHI to agree in writing to protect the confidentiality, integrity and availability of ePHI as required by the HIPAA Security Rule. Service Provider shall expeditiously report to DIR any successful unauthorized access, use, disclosure, modification or destruction of ePHI or interference with system operations in an information system containing PHI of which Service Provider becomes aware: (A) such reports shall be provided only as frequently as the Parties mutually agree, but no more than once per calendar quarter, and (B) if the HIPAA Security Rule is amended to remove the requirement for reporting "unsuccessful" attempts to use, disclose, modify or destroy ePHI from the definition of "Security Incident," this paragraph shall no longer apply as of the effective date of such amendment. For purposes of this provision, "Security Incident" shall have the meaning given in HIPAA Security Regulations, 45 CFR Part 164, as such regulations may be amended from time to time.

DIR Personal Data. ‌ In addition to the provisions of S ections Sections 13.1 and 1 3.213.2, the following privacy and data protection provisions shall apply to DIR Personal Data. (a) Service Provider shall hold any DIR Personal Data that it receives in confidence and in compliance with (i) Service Provider's obligations under this Agreement, the Exhibits and Attachments hereto and the Service Management Manual and (ii) subject to Section 15.1215.11, all Laws regarding its use of and access to such DIR Personal Data. (b) Service Provider agrees that Service Provider and Service Provider Personnel shall not use any DIR Personal Data for any purpose other than the fulfillment of the terms and conditions of this Agreement. Service Provider shall not process or disseminate DIR Personal Data to any third party or transfer DIR Personal Data without the approval of DIR unless expressly provided for in this Agreement. Service Provider shall take appropriate action to cause: (i) Any Service Provider Personnel who have access to DIR Personal Data pursuant to this Agreement to be advised of, and comply with, the terms and conditions of this Section 13.3; and (ii) Any Service Provider Personnel who have access to DIR Personal Data to be trained regarding their handling of such DIR Personal Data. Service Provider shall be responsible for any failure of Service Provider Personnel to comply with the terms and conditions regarding DIR Personal Data set forth in this Section 13.3. (c) When interfacing with DIR or the applicable DIR Customer regarding DIR Personal Data, Service Provider shall only disclose or transmit DIR Personal Data to those DIR or DIR Customer employees and DIR Contractors authorized by the DIR Managed Applications Data Center Services Manager or identified in the Service Management Manual. (d) With respect to Personal Medical Data, Service Provider shall not need to obtain authorizations from the persons to whom such Personal Medical Data pertains unless DIR determines that such authorizations are necessary and advises Service Provider to obtain such authorization. In such case, Service Provider agrees to reasonably assist DIR or the applicable DIR Customer in obtaining an authorization, or in confirming that such authorization has been obtained, from each person before viewing any Personal Medical Data of such person contained in DIR's files or systems. The authorization form to be used for this purpose shall be provided by DIR. (e) With respect to Personal Medical Data, a person may request to inspect, copy, amend and restrict disclosure of his or her Personal Medical Data when and as permitted by Law. Any such requests that are received by Service Provider shall be directed to, and any actions required shall be determined by, DIR. (f) DIR shall notify Service Provider of any: (i) Limitation in any privacy notice used by DIR to the extent that such limitation may affect Service Provider's use or disclosure of DIR Personal Data; and (ii) Restriction on the use or disclosure of DIR Personal Data to which DIR agreed to the extent that such restriction may affect Service Provider's use or disclosure of such DIR Personal Data. Service Provider agrees to promptly implement any such limitation or restriction as directed by DIR. (g) If Service Provider has knowledge of any unauthorized disclosure of or access to DIR Personal Data, Service Provider shall: (i) Expeditiously report such unauthorized disclosure or access to DIR, (ii) Mitigate, to the extent practicable, any harmful effect of such disclosure or access that is known to Service Provider or its agents, and (iii) Cooperate with DIR in providing any notices regarding impermissible disclosures caused by such disclosure or access which DIR deems appropriate. To the extent such unauthorized disclosure or access is attributable to a breach by Service Provider or Service Provider Personnel of Service Provider's obligations under this Agreement with respect to DIR Personal Data, Service Provider shall bear (A) the costs incurred by Service Provider in complying with its legal obligations relating to such breach and (B) in addition to any other damages for which Service Provider may be liable for under this Agreement (except to the extent such disclosure is due to DIR's failing to provide (including through authorization to provide as part of the Services) the level of encryption required under applicable Law to protect such Data), the following costs incurred by DIR or the DIR Customer in complying with their legal obligations relating to such breach, to the extent applicable, (1) the cost of providing notice to affected individuals, (2) where such breach results in the potential for exposure of personal credit (e.g. social security number) or financial account information the cost of providing such affected individuals with credit monitoring services for twelve (12) months, (3) the cost of providing such affected individuals with $50,000 of identity theft insurance, and (4) call center support for such affected individuals for thirty (30) days and (5) any other Losses for which Service Provider would be liable under S ections Sections 17.1(d) and 1 8.3(c)(v18.3(c)(v). (h) As reasonably requested by DIR, Service Provider shall deliver to DIR all or any specified Personal Medical Data in the format and on the media reasonably prescribed by DIR and promptly deliver such Data to DIR or a designated DIR Contractor. (i) With respect to Personal Medical Data constituting "protected health information" ("PHI"), as such term is defined by the HIPAA Privacy Rule, Service Provider shall: (i) Subject to Section 15.11, implement the technical, organizational and security measures, including administrative, physical and technical safeguards, to protect the confidentiality, integrity and availability of Personal Medical Data constituting electronic PHI ("ePHI") created, received, maintained or transmitted by Service Provider or Service Provider Personnel in compliance with the HIPAA Security Rule. Service Provider shall cause any Service Provider Personnel who have access to ePHI to agree in writing to protect the confidentiality, integrity and availability of ePHI as required by the HIPAA Security Rule. Service Provider shall expeditiously report to DIR any successful unauthorized access, use, disclosure, modification or destruction of ePHI or interference with system operations in an information system containing PHI of which Service Provider becomes aware: (A) such reports shall be provided only as frequently as the Parties mutually agree, but no more than once per calendar quarter, and (B) if the HIPAA Security Rule is amended to remove the requirement for reporting "unsuccessful" attempts to use, disclose, modify or destroy ePHI from the definition of "Security Incident," this paragraph shall no longer apply as of the effective date of such amendment. For purposes of this provision, "Security Incident" shall have the meaning given in HIPAA Security Regulations, 45 CFR Part 164, as such regulations may be amended from time to time.

DIR Personal Data. In addition to the provisions of S ections Sections 13.1 and 1 3.213.2, the following privacy and data protection provisions shall apply to DIR Personal Data. (a) Service Provider shall hold any DIR Personal Data that it receives in confidence and in compliance with (i) Service Provider's obligations under this Agreement, the Exhibits and Attachments hereto and the Service Management Manual and (ii) subject to Section 15.1215.11, all Laws regarding its use of and access to such DIR Personal Data. (b) Service Provider agrees that Service Provider and Service Provider Personnel shall not use any DIR Personal Data for any purpose other than the fulfillment of the terms and conditions of this Agreement. Service Provider shall not process or disseminate DIR Personal Data to any third party or transfer DIR Personal Data without the approval of DIR unless expressly provided for in this Agreement. Service Provider shall take appropriate action to cause: (i) Any Service Provider Personnel who have access to DIR Personal Data pursuant to this Agreement to be advised of, and comply with, the terms and conditions of this Section 13.3; and (ii) Any Service Provider Personnel who have access to DIR Personal Data to be trained regarding their handling of such DIR Personal Data. Service Provider shall be responsible for any failure of Service Provider Personnel to comply with the terms and conditions regarding DIR Personal Data set forth in this Section 13.3. (c) When interfacing with DIR or the applicable DIR Customer regarding DIR Personal Data, Service Provider shall only disclose or transmit DIR Personal Data to those DIR or DIR Customer employees and DIR Contractors authorized by the DIR Managed Applications Data Center Services Manager or identified in the Service Management Manual. (d) With respect to Personal Medical Data, Service Provider shall not need to obtain authorizations from the persons to whom such Personal Medical Data pertains unless DIR determines that such authorizations are necessary and advises Service Provider to obtain such authorization. In such case, Service Provider agrees to reasonably assist DIR or the applicable DIR Customer in obtaining an authorization, or in confirming that such authorization has been obtained, from each person before viewing any Personal Medical Data of such person contained in DIR's files or systems. The authorization form to be used for this purpose shall be provided by DIR. (e) With respect to Personal Medical Data, a person may request to inspect, copy, amend and restrict disclosure of his or her Personal Medical Data when and as permitted by Law. Any such requests that are received by Service Provider shall be directed to, and any actions required shall be determined by, DIR. (f) DIR shall notify Service Provider of any: (i) Limitation in any privacy notice used by DIR to the extent that such limitation may affect Service Provider's use or disclosure of DIR Personal Data; and (ii) Restriction on the use or disclosure of DIR Personal Data to which DIR agreed to the extent that such restriction may affect Service Provider's use or disclosure of such DIR Personal Data. Service Provider agrees to promptly implement any such limitation or restriction as directed by DIR. (g) If Service Provider has knowledge of any unauthorized disclosure of or access to DIR Personal Data, Service Provider shall: (i) Expeditiously report such unauthorized disclosure or access to DIR, (ii) Mitigate, to the extent practicable, any harmful effect of such disclosure or access that is known to Service Provider or its agents, and (iii) Cooperate with DIR in providing any notices regarding impermissible disclosures caused by such disclosure or access which DIR deems appropriate. To the extent such unauthorized disclosure or access is attributable to a breach by Service Provider or Service Provider Personnel of Service Provider's obligations under this Agreement with respect to DIR Personal Data, Service Provider shall bear (A) the costs incurred by Service Provider in complying with its legal obligations relating to such breach and (B) in addition to any other damages for which Service Provider may be liable for under this Agreement (except to the extent such disclosure is due to DIR's failing to provide (including through authorization to provide as part of the Services) the level of encryption required under applicable Law to protect such Data), the following costs incurred by DIR or the DIR Customer in complying with their legal obligations relating to such breach, to the extent applicable, (1) the cost of providing notice to affected individuals, (2) where such breach results in the potential for exposure of personal credit (e.g. social security number) or financial account information the cost of providing such affected individuals with credit monitoring services for twelve (12) months, (3) the cost of providing such affected individuals with $50,000 of identity theft insurance, and (4) call center support for such affected individuals for thirty (30) days and (5) any other Losses for which Service Provider would be liable under S ections Sections 17.1(d) and 1 8.3(c)(v18.3(c)(v). (h) As reasonably requested by DIR, Service Provider shall deliver to DIR all or any specified Personal Medical Data in the format and on the media reasonably prescribed by DIR and promptly deliver such Data to DIR or a designated DIR Contractor. (i) With respect to Personal Medical Data constituting "protected health information" ("PHI"), as such term is defined by the HIPAA Privacy Rule, Service Provider shall: (i) Subject to Section 15.11, implement the technical, organizational and security measures, including administrative, physical and technical safeguards, to protect the confidentiality, integrity and availability of Personal Medical Data constituting electronic PHI ("ePHI") created, received, maintained or transmitted by Service Provider or Service Provider Personnel in compliance with the HIPAA Security Rule. Service Provider shall cause any Service Provider Personnel who have access to ePHI to agree in writing to protect the confidentiality, integrity and availability of ePHI as required by the HIPAA Security Rule. Service Provider shall expeditiously report to DIR any successful unauthorized access, use, disclosure, modification or destruction of ePHI or interference with system operations in an information system containing PHI of which Service Provider becomes aware: (A) such reports shall be provided only as frequently as the Parties mutually agree, but no more than once per calendar quarter, and (B) if the HIPAA Security Rule is amended to remove the requirement for reporting "unsuccessful" attempts to use, disclose, modify or destroy ePHI from the definition of "Security Incident," this paragraph shall no longer apply as of the effective date of such amendment. For purposes of this provision, "Security Incident" shall have the meaning given in HIPAA Security Regulations, 45 CFR Part 164, as such regulations may be amended from time to time.

DIR Personal Data. In addition to the provisions of S ections Sections 13.1 and 1 3.213.2, the following privacy and data protection provisions shall apply to DIR Personal Data. (a) Service Provider shall hold any DIR Personal Data that it receives in confidence and in compliance with (i) Service Provider's obligations under this Agreement, the Exhibits and Attachments hereto and the Service Management Manual and (ii) subject to Section 15.12, all Laws regarding its use of and access to such DIR Personal Data. (b) Service Provider agrees that Service Provider and Service Provider Personnel shall not use any DIR Personal Data for any purpose other than the fulfillment of the terms and conditions of this Agreement. Service Provider shall not process or disseminate DIR Personal Data to any third party or transfer DIR Personal Data without the approval of DIR unless expressly provided for in this Agreement. Service Provider shall take appropriate action to cause: (i) Any Service Provider Personnel who have access to DIR Personal Data pursuant to this Agreement to be advised of, and comply with, the terms and conditions of this Section 13.3; and (ii) Any Service Provider Personnel who have access to DIR Personal Data to be trained regarding their handling of such DIR Personal Data. Service Provider shall be responsible for any failure of Service Provider Personnel to comply with the terms and conditions regarding DIR Personal Data set forth in this Section 13.3. (c) When interfacing with DIR or the applicable DIR Customer regarding DIR Personal Data, Service Provider shall only disclose or transmit DIR Personal Data to those DIR or DIR Customer employees and DIR Contractors authorized by the DIR Managed Applications Services Manager or identified in the Service Management Manual. (d) With respect to Personal Medical Data, Service Provider shall not need to obtain authorizations from the persons to whom such Personal Medical Data pertains unless DIR determines that such authorizations are necessary and advises Service Provider to obtain such authorization. In such case, Service Provider agrees to reasonably assist DIR or the applicable DIR Customer in obtaining an authorization, or in confirming that such authorization has been obtained, from each person before viewing any Personal Medical Data of such person contained in DIR's files or systems. The authorization form to be used for this purpose shall be provided by DIR. (e) With respect to Personal Medical Data, a person may request to inspect, copy, amend and restrict disclosure of his or her Personal Medical Data when and as permitted by Law. Any such requests that are received by Service Provider shall be directed to, and any actions required shall be determined by, DIR. (f) DIR shall notify Service Provider of any: (i) Limitation in any privacy notice used by DIR to the extent that such limitation may affect Service Provider's use or disclosure of DIR Personal Data; and (ii) Restriction on the use or disclosure of DIR Personal Data to which DIR agreed to the extent that such restriction may affect Service Provider's use or disclosure of such DIR Personal Data. Service Provider agrees to promptly implement any such limitation or restriction as directed by DIR. (g) If Service Provider has knowledge of any unauthorized disclosure of or access to DIR Personal Data, Service Provider shall: (i) Expeditiously report such unauthorized disclosure or access to DIR, (ii) Mitigate, to the extent practicable, any harmful effect of such disclosure or access that is known to Service Provider or its agents, and (iii) Cooperate with DIR in providing any notices regarding impermissible disclosures caused by such disclosure or access which DIR deems appropriate. To the extent such unauthorized disclosure or access is attributable to a breach by Service Provider or Service Provider Personnel of Service Provider's obligations under this Agreement with respect to DIR Personal Data, Service Provider shall bear (A) the costs incurred by Service Provider in complying with its legal obligations relating to such breach and (B) in addition to any other damages for which Service Provider may be liable for under this Agreement (except to the extent such disclosure is due to DIR's failing to provide (including through authorization to provide as part of the Services) the level of encryption required under applicable Law to protect such Data), the following costs incurred by DIR or the DIR Customer in complying with their legal obligations relating to such breach, to the extent applicable, (1) the cost of providing notice to affected individuals, (2) where such breach results in the potential for exposure of personal credit (e.g. social security number) or financial account information the cost of providing such affected individuals with credit monitoring services for twelve (12) months, (3) the cost of providing such affected individuals with $50,000 of identity theft insurance, and (4) call center support for such affected individuals for thirty (30) days and (5) any other Losses for which Service Provider would be liable under S ections Sections 17.1(d) and 1 8.3(c)(v18.3(c)(v). (h) As reasonably requested by DIR, Service Provider shall deliver to DIR all or any specified Personal Medical Data in the format and on the media reasonably prescribed by DIR and promptly deliver such Data to DIR or a designated DIR Contractor. (i) With respect to Personal Medical Data constituting "protected health information" ("PHI"), as such term is defined by the HIPAA Privacy Rule, Service Provider shall: (i) Subject to Section 15.11, implement the technical, organizational and security measures, including administrative, physical and technical safeguards, to protect the confidentiality, integrity and availability of Personal Medical Data constituting electronic PHI ("ePHI") created, received, maintained or transmitted by Service Provider or Service Provider Personnel in compliance with the HIPAA Security Rule. Service Provider shall cause any Service Provider Personnel who have access to ePHI to agree in writing to protect the confidentiality, integrity and availability of ePHI as required by the HIPAA Security Rule. Service Provider shall expeditiously report to DIR any successful unauthorized access, use, disclosure, modification or destruction of ePHI or interference with system operations in an information system containing PHI of which Service Provider becomes aware: (A) such reports shall be provided only as frequently as the Parties mutually agree, but no more than once per calendar quarter, and (B) if the HIPAA Security Rule is amended to remove the requirement for reporting "unsuccessful" attempts to use, disclose, modify or destroy ePHI from the definition of "Security Incident," this paragraph shall no longer apply as of the effective date of such amendment. For purposes of this provision, "Security Incident" shall have the meaning given in HIPAA Security Regulations, 45 CFR Part 164, as such regulations may be amended from time to time.