Reporting of Improper Access, Use or Disclosure. Vendor will notify Provider in writing of any access to, use or disclosure of Provider PHI not permitted by this BAA, including any Breach of Unsecured Provider PHI and Security Incident, without unreasonable delay (and in no case later than sixty (60) days after discovery of any Breach of Unsecured Provider PHI). Such notifications will include, to the extent known by Vendor at the time of the notification, the following: Identification of each Individual whose Unsecured Provider PHI has been or is reasonably believed by Vendor to have been impermissibly accessed, used or disclosed; The date the incident occurred and the date the incident was discovered; A description of the type(s) and amount of Provider PHI involved in the incident; A description of the investigation process used by Vendor to determine the cause and extent of the incident; A description of the actions Vendor is taking to mitigate and protect against further impermissible uses or disclosures and losses; and A description of any steps individuals should take to protect themselves from potential harm resulting from the impermissible use or disclosure of Provider PHI. Notwithstanding the foregoing, Provider and Vendor acknowledge the ongoing existence and occurrence of attempted but unsuccessful Security Incidents that are trivial in nature, such as pings and port scans, and Provider acknowledges and agrees that no additional notification to Provider of such unsuccessful Security Incidents is necessary. However, to the extent that Vendor becomes aware of an unusually high number of such unsuccessful Security Incidents due to the repeated acts of a single party, Vendor shall notify Provider of these attempts and provide the name, if available, of said party.
Appears in 3 contracts
Samples: Interim Management Services Agreement, Interim Management Services Agreement, Interim Management Services Agreement
Reporting of Improper Access, Use or Disclosure. Vendor BA will notify Provider CE in writing of any access to, use or disclosure of Provider PHI not permitted by this BAA, including any Breach of Unsecured Provider PHI and Security Incident, without unreasonable delay (and in no case later than sixty (60) five business days after discovery of any Breach of Unsecured Provider PHI)discovery. Such notifications will include, to the extent known by Vendor at the time of the notification, must include the following: • A description of the impermissible access, use or disclosure of PHI; • Identification of each Individual whose Unsecured Provider PHI has been or is reasonably believed by Vendor BA to have been impermissibly accessed, used or disclosed; • The date the incident occurred and the date the incident was discovered; • A description of the type(s) and amount of Provider PHI involved in the incident; • A description of the investigation process used by Vendor to determine the cause and extent of the incident; • A description of the actions Vendor BA is taking to mitigate and protect against further impermissible uses or disclosures and losses; and • A description of any steps individuals should take to protect themselves from potential harm resulting from the impermissible use or disclosure of Provider PHI; and • Any other information related to the incident that is reasonably requested by CE. Notwithstanding the foregoing, Provider BA and Vendor CE acknowledge the ongoing existence and occurrence of attempted but unsuccessful Security Incidents that are trivial in nature, such as pings and port scans, and Provider CE acknowledges and agrees that no additional notification to Provider CE of such unsuccessful Security Incidents is necessary. However, to the extent that Vendor BA becomes aware of an unusually high number of such unsuccessful Security Incidents due to the repeated acts of a single party, Vendor BA shall notify Provider CE of these attempts and provide the name, if available, of said party. BA will reimburse CE for (i) all reasonably incurred costs related to notifying Individuals of an impermissible access, use or disclosure of PHI by BA or its Subcontractors, and (ii) all reasonably incurred expenses related to mitigating harm to the affected Individuals, such as credit monitoring services.
Appears in 1 contract
Samples: Transition Services Agreement
Reporting of Improper Access, Use or Disclosure. Vendor BA will notify Provider CE in writing of any access to, use or disclosure of Provider PHI not permitted by this BAA, including any Breach of Unsecured Provider PHI and Security Incident, without unreasonable delay (and in no case later than sixty (60) five business days after discovery of any Breach of Unsecured Provider PHI)discovery. Such notifications will include, to the extent known by Vendor at the time of the notification, must include the following: A description of the impermissible access, use or disclosure of PHI; Identification of each Individual whose Unsecured Provider PHI has been or is reasonably believed by Vendor BA to have been impermissibly accessed, used or disclosed; The date the incident occurred and the date the incident was discovered; A description of the type(s) and amount of Provider PHI involved in the incident; A description of the investigation process used by Vendor to determine the cause and extent of the incident; A description of the actions Vendor BA is taking to mitigate and protect against further impermissible uses or disclosures and losses; and A description of any steps individuals should take to protect themselves from potential harm resulting from the impermissible use or disclosure of Provider PHI; and Any other information related to the incident that is reasonably requested by CE. Notwithstanding the foregoing, Provider BA and Vendor CE acknowledge the ongoing existence and occurrence of attempted but unsuccessful Security Incidents that are trivial in nature, such as pings and port scans, and Provider CE acknowledges and agrees that no additional notification to Provider CE of such unsuccessful Security Incidents is necessary. However, to the extent that Vendor BA becomes aware of an unusually high number of such unsuccessful Security Incidents due to the repeated acts of a single party, Vendor BA shall notify Provider CE of these attempts and provide the name, if available, of said party. BA will reimburse CE for (i) all reasonably incurred costs related to notifying Individuals of an impermissible access, use or disclosure of PHI by BA or its Subcontractors, and (ii) all reasonably incurred expenses related to mitigating harm to the affected Individuals, such as credit monitoring services.
Appears in 1 contract
Samples: Transition Services Agreement
Reporting of Improper Access, Use or Disclosure. Vendor BA will notify Provider CE in writing of any access to, use or disclosure of Provider PHI not permitted by this BAA, including any Breach of Unsecured Provider PHI and Security Incident, without unreasonable delay (and in no case later than sixty (60) five business days after discovery of any Breach of Unsecured Provider PHI)discovery. Such notifications will include, to the extent known by Vendor at the time of the notification, must include the following: ● A description of the impermissible access, use or disclosure of PHI; ● Identification of each Individual whose Unsecured Provider PHI has been or is reasonably believed by Vendor BA to have been impermissibly accessed, used or disclosed; ● The date the incident occurred and the date the incident was discovered; ● A description of the type(s) and amount of Provider PHI involved in the incident; ● A description of the investigation process used by Vendor to determine the cause and extent of the incident; ● A description of the actions Vendor BA is taking to mitigate and protect against further impermissible uses or disclosures and losses; and ● A description of any steps individuals should take to protect themselves from potential harm resulting from the impermissible use or disclosure of Provider PHI; and ● Any other information related to the incident that is reasonably requested by CE. Notwithstanding the foregoing, Provider BA and Vendor CE acknowledge the ongoing existence and occurrence of attempted but unsuccessful Security Incidents that are trivial in nature, such as pings and port scans, and Provider CE acknowledges and agrees that no additional notification to Provider CE of such unsuccessful Security Incidents is necessary. However, to the extent that Vendor BA becomes aware of an unusually high number of such unsuccessful Security Incidents due to the repeated acts of a single party, Vendor BA shall notify Provider CE of these attempts and provide the name, if available, of said party. BA will reimburse CE for (i) all reasonably incurred costs related to notifying Individuals of an impermissible access, use or disclosure of PHI by BA or its Subcontractors, and (ii) all reasonably incurred expenses related to mitigating harm to the affected Individuals, such as credit monitoring services.
Appears in 1 contract
Samples: Business Associate Agreement