Common use of Reporting of Breaches, Potential Breaches, and Security Incidents Clause in Contracts

Reporting of Breaches, Potential Breaches, and Security Incidents. Business Associate must report to the City any use or disclosure of the PHI not provided for by this Business Associate Agreement of which it becomes aware, as well as any Breach of Unsecured PHI; potential Breach of unsecured PHI; any security incident of which it becomes aware; any attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI; or any attempted or successful interference with Business Associate’s system operations of which Business Associate becomes aware. Business Associate will make the report to the City’s HIPAA Privacy and Security Officers not more than five (5) calendar days after Business Associate discovers such non-permitted use or disclosure, Breach, security incident, or other incident as described above. Business Associate shall provide any reports or notices required by HIPAA as a result of Business Associate’s Breach. On behalf of the City, Business Associate will provide such reports or notices to any party or entity (including but not limited to media, Secretary, and individuals affected by the Breach) entitled by law to receive the reports or notices. Business Associate agrees to pay the costs associated with notifying individuals affected by the Breach, which may include, but are not limited to, paper, printing, and mailing costs. Business Associate is not required to report the following types of unsuccessful security incidents: pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of PHI. If a delay is requested by a law enforcement official in accordance with 45 CFR 164.412, Business Associate may delay notifying City for the time period specified in HIPAA. Business Associate’s report will include the information described in 45 CFR 164.404(c) and such other information as the City may reasonably request.

Reporting of Breaches, Potential Breaches, and Security Incidents. Business Associate must report to the City any use or disclosure of the PHI not provided for by this Business Associate Agreement of which it becomes aware, as well as any Breach of Unsecured PHI; potential Breach of unsecured PHI; any security incident of which it becomes aware; any attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI; or any attempted or successful interference with Business Associate’s system operations of which Business Associate becomes aware. Business Associate will make the report to the City’s HIPAA Privacy and Security Officers not more than five (5) calendar days after Business Associate discovers such non-permitted use or disclosure, Breach, security incident, or other incident as described above. Business Associate shall provide any reports or notices required by HIPAA as a result of Business Associate’s Breach. On behalf of the City, Business Associate will provide such reports or notices to any party or entity (including but not limited to media, Secretary, and individuals affected by the Breach) entitled by law to receive the reports or notices. Business Associate agrees to pay the costs associated with notifying individuals affected by the Breach, which may include, but are not limited to, paper, printing, and mailing costs. Business Associate is not required to report the following types of unsuccessful security incidents: pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of PHI. If a delay is requested by a law enforcement official in accordance with 45 CFR 164.412, Business Associate may delay notifying City for the time period specified in HIPAA. Business Associate’s report will include the information described in 45 CFR 164.404(c) and such other information as the City may reasonably request.