Common use of Incident Reporting Clause in Contracts

Incident Reporting. 6.1.1. Business Associate shall report to Covered Entity the following: 6.1.1.1. Any use or disclosure of PHI which is not in compliance with the terms of this Agreement or applicable law of which it becomes aware; and 6.1.1.2. Any security incident of which it becomes aware. For purposes of this Agreement, “security incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. 6.1.2. Within 24 hours of discovery of a suspected reportable incident as described in 6.1.1 above, Business Associate shall notify Covered Entity of the existence and nature of the incident as understood at that time. Business Associate shall immediately investigate the incident and within 72 hours of discovery shall provide Covered Entity, in writing, a report describing the results of Business Associate’s investigation, including: 6.1.2.1. What data elements were involved, the extent of the data involved in the incident, and the identification of affected individuals, if applicable; 6.1.2.2. A description of the unauthorized persons known or reasonably believed to have improperly used or disclosed PHI, or to have been responsible for the incident; 6.1.2.3. A description of where the PHI is believed to have been improperly transmitted, sent, or utilized, if applicable; 6.1.2.4. A description of the probable causes of the incident; 6.1.2.5. A description of the proposed plan for preventing similar future incidents, including ongoing risk remediation plan approval; and 6.1.2.6. Whether the Associate believes any federal or state laws requiring notifications to individuals are triggered. 6.1.3. Reporting and other communications made to the Covered Entity under this section must be made to the agency’s HIPAA privacy officer at: Ohio Department of Administrative Services Office of Legal Services 00 Xxxx Xxxxx Xxxxxx, 00xx Xxxxx Xxxxxxxx, Xxxx 00000 Main: (000) 000-0000 Direct: (000) 000-0000 Fax: 000.000.0000

Incident Reporting. 6.1.10.0.0. Business Xxxxxxxx Associate shall report to Covered Entity the following: 6.1.1.1. Any use or disclosure of PHI which is not in compliance with the terms of this Agreement or applicable law of which it becomes aware; and 6.1.1.2. Any security incident of which it becomes aware. For purposes of this Agreement, “security incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. 6.1.2. Within 24 hours of discovery of a suspected reportable incident as described in in 6.1.1 above, Business Associate shall notify Covered Entity of the existence and nature of the incident as understood at that time. Business Associate shall immediately investigate the incident and within 72 hours of discovery shall provide Covered Entity, in writing, a report describing the results of Business Associate’s investigation, including: 6.1.2.1. What data elements were involved, the extent of the data involved in the incident, and the identification of affected individuals, if applicable; 6.1.2.2. A description of the unauthorized persons known or reasonably believed to have improperly used or disclosed PHI, or to have been responsible for the incident; 6.1.2.3. A description of where the PHI is believed to have been improperly transmitted, sent, or utilized, if applicable; 6.1.2.4. A description of the probable causes of the incident; 6.1.2.5. A description of the proposed plan for preventing similar future incidents, including ongoing risk remediation plan approval; and 6.1.2.6. Whether the Associate believes any federal or state laws requiring notifications to individuals are triggered. 6.1.3. Reporting and other communications made to the Covered Entity under this section must be made to the agency’s HIPAA privacy officer at: Ohio Department of Administrative Services Health Office of Legal Services 00 the Chief Operating Officer 000 X. Xxxx Xxxxx Xxxxxx, 00xx Xxxxx Xxxxxx Xxxxxxxx, Xxxx 00000 Main: (000) 000-0000 Direct: (000) 000-0000 Fax: 000.000.00000000

Incident Reporting. 6.1.1. Business Associate shall report to Covered Entity DAS the following:: DAS BAA Revised 05/18 2 6.1.1.1. Any use or disclosure of PHI which is not in compliance with the terms of this Agreement or applicable law of which it becomes aware; and 6.1.1.2. Any security incident of which it becomes aware. For purposes of this Agreement, “security incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. 6.1.2. Within 24 hours of discovery of a suspected reportable incident as described in 6.1.1 above, Business Associate shall notify Covered Entity of the existence and nature of the incident as understood at that time. Business Associate shall immediately investigate the incident and within 72 hours of discovery shall provide Covered Entity, in writing, a report describing the results of Business Associate’s investigation, including: 6.1.2.1. What data elements were involved, the extent of the data involved in the incident, and the identification of affected individuals, if applicable; 6.1.2.2. A description of the unauthorized persons known or reasonably believed to have improperly used or disclosed PHI, or to have been responsible for the incident; 6.1.2.3. A description of where the PHI is believed to have been improperly transmitted, sent, or utilized, if applicable; 6.1.2.4. A description of the probable causes of the incident; 6.1.2.5. A description of the proposed plan for preventing similar future incidents, including ongoing risk remediation plan approval; and 6.1.2.6. Whether the Associate believes any federal or state laws requiring notifications to individuals are triggered. 6.1.3. Reporting and other communications made to the Covered Entity under this section must be made to the agency’s HIPAA privacy officer at: Ohio Department of Administrative Services Office of Legal Services 00 Xxxx Xxxxx Xxxxxx, 00xx Xxxxx Xxxxxxxx, Xxxx 00000 Main: (000) 000-0000 Direct: (000) 000-0000 Fax: 000.000.0000000.000.0000 Email: xxx.xxxxxxxxxxxxx@xxx.xxxx.xxx

Incident Reporting. 6.1.1. Business Associate shall report to Covered Entity DAS the following: 6.1.1.1. Any use or disclosure of PHI which is not in compliance with the terms of this Agreement or applicable law of which it becomes aware; and 6.1.1.2. Any security incident of which it becomes aware. For purposes of this Agreement, “security incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. 6.1.2. Within 24 hours of discovery of a suspected reportable incident as described in 6.1.1 above, Business Associate shall notify Covered Entity of the existence and nature of the incident as understood at that time. Business Associate shall immediately investigate the incident and within 72 hours of discovery shall provide Covered Entity, in writing, a report describing the results of Business Associate’s investigation, including: 6.1.2.1. What data elements were involved, the extent of the data involved in the incident, and the identification of affected individuals, if applicable; 6.1.2.2. A description of the unauthorized persons known or reasonably believed to have improperly used or disclosed PHI, or to have been responsible for the incident; 6.1.2.3. A description of where the PHI is believed to have been improperly transmitted, sent, or utilized, if applicable; 6.1.2.4. A description of the probable causes of the incident; 6.1.2.5. A description of the proposed plan for preventing similar future incidents, including ongoing risk remediation plan approval; and 6.1.2.6. Whether the Associate believes any federal or state laws requiring notifications to individuals are triggered. 6.1.3. Reporting and other communications made to the Covered Entity under this section must be made to the agency’s HIPAA privacy officer at: Ohio Department of Administrative Services Office of Legal Services 00 Xxxx Xxxxx Xxxxxx, 00xx Xxxxx Xxxxxxxx, Xxxx 00000 Main: (000) 000-0000 Direct: (000) 000-0000 Fax: 000.000.0000000.000.0000 Email: xxx.xxxxxxxxxxxxx@xxx.xxxx.xxx

Incident Reporting. 6.1.15.1.1. Business Associate shall report to Covered Entity the following: 6.1.1.15.1.1.1. Any use or disclosure of PHI which is not in compliance with the terms of this Agreement or applicable law of which it becomes aware; and 6.1.1.25.1.1.2. Any security incident of which it becomes aware. For purposes of this Agreement, “security incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. 6.1.25.1.2. Within 24 hours of discovery of a suspected reportable incident as described in in 6.1.1 above, Business Associate shall notify Covered Entity of the existence and nature of the incident as understood at that time. Business Associate shall immediately investigate the incident and within 72 hours of discovery shall provide Covered Entity, in writing, a report describing the results of Business Associate’s investigation, including: 6.1.2.15.1.2.1. What data elements were involved, the extent of the data involved in the incident, and the identification of affected individuals, if applicable; 6.1.2.25.1.2.2. A description of the unauthorized persons known or reasonably believed to have improperly used or disclosed PHI, or to have been responsible for the incident; 6.1.2.35.1.2.3. A description of where the PHI is believed to have been improperly transmitted, sent, or utilized, if applicable; 6.1.2.45.1.2.4. A description of the probable causes of the incident; 6.1.2.55.1.2.5. A description of the proposed plan for preventing similar future incidents, including ongoing risk remediation plan approval; and 6.1.2.65.1.2.6. Whether the Associate believes any federal or state laws requiring notifications to individuals are triggered. 6.1.35.1.3. Reporting and other communications made to the Covered Entity under this section must be made to the agency’s HIPAA privacy officer at: Ohio Department of Administrative Services Office of Legal Services 00 Xxxx Xxxxx Xxxxxx, 00xx Xxxxx Xxxxxxxx, Xxxx 00000 Main: (000) 000-0000 Direct: (000) 000-0000 Fax: 000.000.0000[office name] [phone] [email address] [address]

Incident Reporting. 6.1.15.1.1. Business Associate shall report to Covered Entity the following: 6.1.1.15.1.1.1. Any use or disclosure of PHI which is not in compliance with the terms of this Agreement or applicable law of which it becomes aware; and 6.1.1.25.1.1.2. Any security incident of which it becomes aware. For purposes of this Agreement, “security incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. 6.1.25.1.2. Within 24 hours of discovery of a suspected reportable incident as described in 6.1.1 in 5.1.1 above, Business Associate shall notify Covered Entity of the existence and nature of the incident as understood at that time. Business Associate shall immediately investigate the incident and within 72 hours of discovery shall provide Covered Entity, in writing, a report describing the results of Business Associate’s investigation, including: 6.1.2.15.1.2.1. What data elements were involved, the extent of the data involved in the incident, and the identification of affected individuals, if applicable; 6.1.2.25.1.2.2. A description of the unauthorized persons known or reasonably believed to have improperly used or disclosed PHI, or to have been responsible for the incident; 6.1.2.35.1.2.3. A description of where the PHI is believed to have been improperly transmitted, sent, or utilized, if applicable; 6.1.2.45.1.2.4. A description of the probable causes of the incident; 6.1.2.55.1.2.5. A description of the proposed plan for preventing similar future incidents, including ongoing risk remediation plan approval; and 6.1.2.65.1.2.6. Whether the Associate believes any federal or state laws requiring notifications to individuals are triggered. 6.1.35.1.3. Reporting and other communications made to the Covered Entity under this section must be made to the agency’s HIPAA privacy officer at: Ohio Department of Administrative Services Office of Legal Services Human Resources 000-000-0000 xxxxxxx.xxxxxxx@xxx.xxxx.xxx 00 Xxxx Xxxxx XxxxxxXx., 00xx Xxxxx Xxxxxxxx, Xxxx 00000 Main: (000) 000-0000 Direct: (000) 000-0000 Fax: 000.000.0000Xxxxx

Incident Reporting. 6.1.1. Business Associate shall report to Covered Entity the following: 6.1.1.1. Any use or disclosure of PHI which is not in compliance with the terms of this Agreement or applicable law of which it becomes aware; and 6.1.1.2. Any security incident of which it becomes aware. For purposes of this Agreement, “security incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. 6.1.2. Within 24 hours of discovery of a suspected reportable incident as described in in 6.1.1 above, Business Associate shall notify Covered Entity of the existence and nature of the incident as understood at that time. Business Associate shall immediately investigate the incident and within 72 hours of discovery shall provide Covered Entity, in writing, a report describing the results of Business Associate’s investigation, including: 6.1.2.1. What data elements were involved, the extent of the data involved in the incident, and the identification of affected individuals, if applicable; 6.1.2.2. A description of the unauthorized persons known or reasonably believed to have improperly used or disclosed PHI, or to have been responsible for the incident; 6.1.2.3. A description of where the PHI is believed to have been improperly transmitted, sent, or utilized, if applicable; 6.1.2.4. A description of the probable causes of the incident; 6.1.2.5. A description of the proposed plan for preventing similar future incidents, including ongoing risk remediation plan approval; and 6.1.2.6. Whether the Associate believes any federal or state laws requiring notifications to individuals are triggered. 6.1.36.1.2.6.1. Reporting and other communications made to the Covered Entity under this section must be made to the agency’s HIPAA privacy officer at: Xxxxxxxx Xxxxxx, Chief Legal Counsel Ohio Department of Administrative Services Office of Legal Services 00 Aging 000 X. Xxxx Xxxxx Xxxxxx, 00xx Xxxxx Xxxxx Xxxxxxxx, Xxxx 00000 Main: (000) 000-0000 Direct: (000) 000-0000 Fax: 000.000.0000xxxxxxx@xxx.Xxxx.xxx

Incident Reporting. 6.1.15.1.1. Business Associate shall report to Covered Entity the following: 6.1.1.15.1.1.1. Any use or disclosure of PHI which is not in compliance with the terms of this Agreement or applicable law of which it becomes aware; and 6.1.1.25.1.1.2. Any security incident of which it becomes aware. For purposes of this Agreement, “security incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. 6.1.25.1.2. Within 24 hours of discovery of a suspected reportable incident as described in 6.1.1 in 5.1.1 above, Business Associate shall notify Covered Entity of the existence and nature of the incident as understood at that time. Business Associate shall immediately investigate the incident and within 72 hours of discovery shall provide Covered Entity, in writing, a report describing the results of Business Associate’s investigation, including: 6.1.2.15.1.2.1. What data elements were involved, the extent of the data involved in the incident, and the identification of affected individuals, if applicable; 6.1.2.25.1.2.2. A description of the unauthorized persons known or reasonably believed to have improperly used or disclosed PHI, or to have been responsible for the incident; 6.1.2.35.1.2.3. A description of where the PHI is believed to have been improperly transmitted, sent, or utilized, if applicable; 6.1.2.45.1.2.4. A description of the probable causes of the incident; 6.1.2.55.1.2.5. A description of the proposed plan for preventing similar future incidents, including ongoing risk remediation plan approval; and 6.1.2.65.1.2.6. Whether the Associate believes any federal or state laws requiring notifications to individuals are triggered. 6.1.35.1.3. Reporting and other communications made to the Covered Entity under this section must be made to the agency’s HIPAA privacy officer at: Ohio Department of Administrative Services Office of Legal Services 00 Xxxx Xxxxx Xxxxxx, 00xx Xxxxx Xxxxxxxx, Xxxx 00000 Main: (000) 000-0000 Direct: (000) 000-0000 Fax: 000.000.0000[office name] [phone] [email address] [address]