Common use of HIPAA Security Clause in Contracts

HIPAA Security. Doctor agrees that: a. Doctor shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Enrollee electronic Protected Health Information (“e-PHI”) that Doctor creates, receives, maintains or transmits on behalf of CCMI or any health plan company, as required by 45 C.F.R. Part 164 (the “Security Rules”). b. Doctor shall ensure that any agent, including a subcontractor, to whom Doctor provides e-PHI agrees to implement reasonable and appropriate safeguards to protect e-PHI, and c. Doctor shall report to CCMI any security incident involving e-PHI of which Doctor becomes aware. The Security Rules define a “Security Incident” as an attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system, involving e-PHI that is created, received, maintained or transmitted by or on behalf of Party. Since the Security Rules include attempted unauthorized access, use, disclosure, modification or destruction of information, CCMI needs to have notification of attempts to bypass electronic security mechanisms. Therefore, the Parties agree to the following reporting procedures: Security Incidents that result in unauthorized access, use, disclosure, modifications or destruction of information or interference with system operations (“Successful Security Incidents”) and for Security Incidents that do not so result (“Unsuccessful Security Incidents”). i. For Unsuccessful Security Incidents, the Parties agree that this paragraph constitutes notice of such Unsuccessful Security Incidents. ii. For Successful Security Incidents, Doctor shall give notice to CCMI not more than five (5) days after Doctor learns of the Successful Security Incident.