Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures Sample Clauses

Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures. If Business Associate has knowledge of any use or disclosure of PHI not provided for by this Agreement or of any Incident, including breaches of unsecured PHI, then Business Associate will immediately notify Covered Entity in accordance with 45 CFR 164.410. Business Associate will follow the following breach notification requirements: a. Business Associate shall immediately notify Covered Entity of suspicion of a breach or of a known potential breach. If Business Associate discovers a breach of Unsecured PHI, including breach as defined in Florida Statutes § 501.171, Business Associate shall notify Covered Entity as soon as practicable and in no case later than within 10 calendar days after discovery. For this purpose, discovery means the first day on which the breach is known to Business Associate or by exercising reasonable diligence would have been known to Business Associate. Business Associate shall be deemed to have knowledge of a breach if the breach is known or by exercising reasonable diligence would have been known to any person, other than the person committing the breach, who is an employee, officer, subcontractor or other agent of Business Associate. The notification must include identification of each individual whose Unsecured PHI has been or is reasonably believed to have been accessed, acquired, used or disclosed during the breach and any other available information in Business Associate's possession which Covered Entity is required to include in the individual notice contemplated by 45 CFR § 164.404. b. Upon notification by Business Associate to Covered Entity of a breach of Unsecured PHI, the Business Associate shall assist Covered Entity in complying with the notification obligations as set forth under the HIPAA Rule, Florida law, and regulations as amended. c. Business Associate shall maintain a log of breaches of Unsecured PHI with respect to Covered Entity and shall submit the log to Covered Entity within 30 calendar days following the end of each calendar year so that Covered Entity may report breaches to the Secretary in accordance with 45 CFR § 164.408.

Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures. If Business Associate has knowledge of any use or disclosure of PHI not provided for by this Agreement, then Business Associate shall promptly notify Covered Entity in accordance with Section 12. Business Associate shall establish and implement procedures and other reasonable efforts for mitigating, to the extent practicable, any harmful effects arising from any improper use and/or disclosure of PHI of which it becomes aware. Furthermore, in the event Business Associate becomes aware of a Security Incident involving PHI, by itself or any of its agents or subcontractors, Business Associate shall notify Covered Entity in writing within ten (10) calendar days, of such Security Incident. Business Associate shall identify (to the extent known) the: (i) date of the Security Incident; (ii) scope of the Security Incident; (iii) Business Associate’s response to the Security Incident; and (iv) identification of the party responsible for the Security Incident, if known. Covered Entity and Business Associate agree to act together in good faith to take reasonable steps to investigate and mitigate any harm caused by such unauthorized use or Security Incident. For these purposes, a "Security Incident" shall mean the successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. Certain low risk attempts to breach network security, such as the incidents listed below, shall not constitute a Security Incident under this Agreement, provided they do not penetrate the perimeter, do not result in an actual breach of security, and remain within the normal incident level: pings on the firewall; port scans; attempts to log onto a system or enter a database with an invalid password or username; denial-of-service attacks that do not result in a major outage.

Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures. If Business Associate has knowledge of any use or disclosure of PHI not provided for by this Agreement, then Business Associate shall promptly notify Covered Entity in accordance with Section 12. Business Associate shall establish and implement procedures and other reasonable efforts for mitigating, to the extent possible, any harmful effects arising from any improper use and/or disclosure of PHI of which it becomes aware. Furthermore, in the event Business Associate becomes aware of a Security Incident involving PHI, by itself or any of its agents or subcontractors, Business Associate shall notify Covered Entity in writing within ten (10) calendar days, of such Security Incident. Business Associate shall identify the: (i) date of the Security Incident; (ii) scope of the Security Incident; (iii) Business Associate’s response to the Security Incident; and (iv) identification of the party responsible for the Security Incident, if known. Covered Entity and Business Associate agree to act together in good faith to take reasonable steps to investigate and mitigate any harm caused by such unauthorized use or Security Incident. For these purposes, a "Security Incident" shall mean the successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system.

Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures. Business Associate shall report, in writing, to Covered Entity’s Privacy Officer any security incident or breach after Business Associate discovers the breach and without unreasonable delay. Further, Business Associate shall investigate the breach and provide to Covered Entity as soon as possible, all information Covered Entity may require to make notifications of the breach to individuals, or other persons or entities. Business Associate shall cooperate with Covered Entity in addressing the breach.

Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures. Contractor will comply with the following obligations in connection with the use or disclosure of Personally Identifiable Information that is not expressly permitted by this Agreement, and that takes place while such information is in the custody or control of Contractor or a Contractor Agent (a “Security Incident”). (a) Contractor will report to District each Security Incident of which it becomes aware. The initial report of a Security Incident will be made by telephone call to the [District Relationship Manager] no later than twenty-four (24) hours after Contractor becomes aware of the Security Incident. The initial report will be followed by a written report to District no later than three (3) days after the date on which Contractor became aware of the Security Incident. (b) The written report of the Security Incident will include: (1) the date the Security Incident occurred; (2) a description of the unauthorized uses or disclosures involved in the Security Incident; (3) the number of Data Subjects affected by the Security Incident; (4) to the extent possible, the identities of the Data Subjects whose Personally Identifiable Information has been, or is reasonably believed by Contractor to have been, accessed, acquired, used or disclosed during the Security Incident; (5) the types of Personally Identifiable Information involved in the Security Incident; and (6) the steps Contractor has taken to investigate the Security Incident, mitigate potential harm to the affected Data Subjects, and prevent further Security Incidents, including steps Contractor believes the affected Data Subjects should take to protect themselves against potential harm resulting from the Security Incident. (c) Contractor will promptly supplement the written report with additional information about the Security Incident as Contractor obtains the information, including Contractor’s assessment as to whether the Security Incident is reportable under applicable laws. (d) To the extent that any applicable law requires that the affected Data Subjects or any governmental authorities be notified of a Security Incident, Contractor will be responsible at its cost and expense for: (i) at District’s request, and where possible under law, providing such notices to Data Subjects or governmental authorities containing the information required by applicable law, provided that Contractor will provide District’s prior approval of any content, form and timing of such notice; (ii) conducting any forensic...

Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures. 3.1 Business Associate shall establish and implement procedures and other reasonable efforts to mitigate, to the greatest extent possible, any harmful effects arising from any improper use or disclosure of PHI. 3.2 Business Associate shall comply with Section 13402 of the HITECH Act and implementing regulations, 45 CFR Part 164, Subpart D, as may be amended (collectively, the “Breach Notification Rules”), and shall report any breach of unsecured PHI to Provider within two

Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures. 6.1 Business Associate will report to the Privacy Officer of Covered Entity, in writing, any acquisition, access, Use or Disclosure of PHI that is not permitted or required by this Agreement, without unreasonable delay, but in no event more than five (5) calendar days after discovery by Business Associate of such unauthorized acquisition, access, Use or Disclosure. This reporting obligation shall include acquisitions, access, Uses or Disclosures by Business Associate, its employees, contractors, Subcontractors, agents, representatives or any third party to which Business Associate disclosed PHI. Without limiting the foregoing, Business Associate shall report the acquisition, access, Use or Disclosure even if it determines that there is a low probability that the PHI has been compromised. 6.2 Business Associate, in accordance with 45 C.F.R § 164.410, shall report, in writing, to the Privacy Officer of Covered Entity any Security Incident involving ePHI of which it becomes aware, without unreasonable delay, but in no event more than five (5) calendar days after Business Associate becomes aware of the Security Incident that: (i) results in unauthorized access, Use, Disclosure, modification or destruction of ePHI or interference with system operations; or (ii) does not result in unauthorized access, Use, Disclosure, modification or destruction of ePHI or interference with system operations ("Unsuccessful Security Incident") but that Business Associate reasonably determines is of a type or pattern that warrants further action. Notwithstanding the foregoing, the Parties acknowledge and agree that this Section 6.2 of the Agreement constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of Unsuccessful Security Incidents that are not of a type or pattern that warrant further action. If the HIPAA regulations are amended to remove the requirement to report Unsuccessful Security Incidents, the requirement hereunder to report such Unsuccessful Security Incidents will no longer apply as of the effective date of the amendment. 6.3 Business Associate will report to the Privacy Officer of Covered Entity, in writing, any Breach of Unsecured PHI, without unreasonable delay, but in any event no more than five (5) calendar days (or any shorter period required under applicable state law) after discovery by Business Associate of such Breach. This reporting obligation shall include Breaches by Business Associate, its employees, contract...

Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures. DocuWare will promptly report, upon discovery, in writing and in accordance with Section 11.9 of the Cloud Services Agreement, any Security Incident or Breach (as defined below) by it or any of its employees, directors, officers, agents, subcontractors or representatives concerning the use or disclosure of PHI. For purposes of this Agreement, “