Common use of Reporting of Improper Use or Disclosure, Security Incident or Breach Clause in Contracts

Reporting of Improper Use or Disclosure, Security Incident or Breach. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted under this BAA or any Security Incident, without unreasonable delay, and in any event no more than thirty (30) days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Covered Entity by Business Associate shall be required only upon request. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. Business Associate’s notification to Covered Entity of a Breach shall include: (i) the identification of each individual whose Unsecured PHI has been or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during the Breach; and (ii) any particulars regarding the Breach that Covered Entity would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404.

Reporting of Improper Use or Disclosure, Security Incident or Breach. Business Associate NORCAL shall report to Covered Entity any use or disclosure of PHI not permitted under this BAA BAA, Breach of Unsecured PHI or any Security Incident, without unreasonable delay, and in any event no more than thirty (30) days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Business Associate NORCAL to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Covered Entity by Business Associate NORCAL shall be required only upon request. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business AssociateNORCAL’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. Business AssociateNORCAL’s notification to Covered Entity of a Breach shall include: (i) the identification of each individual whose Unsecured PHI has been been, or is reasonably believed by Business Associate NORCAL to have been, accessed, acquired or disclosed during the Breach; and (ii) any particulars regarding the Breach that Covered Entity would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404.

Reporting of Improper Use or Disclosure, Security Incident or Breach. Business Associate NORCAL SPECIALTY shall report to Covered Entity any use or disclosure of PHI not permitted under this BAA BAA, Breach of Unsecured PHI or any Security Incident, without unreasonable delay, and in any event no more than thirty (30) days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Business Associate NORCAL SPECIALTY to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Covered Entity by Business Associate NORCAL SPECIALTY shall be required only upon request. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business AssociateNORCAL SPECIALTY’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. Business AssociateNORCAL SPECIALTY’s notification to Covered Entity of a Breach shall include: (i) the identification of each individual whose Unsecured PHI has been been, or is reasonably believed by Business Associate NORCAL SPECIALTY to have been, accessed, acquired or disclosed during the Breach; and (ii) any particulars regarding the Breach that Covered Entity would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404.

Reporting of Improper Use or Disclosure, Security Incident or Breach. Business Associate FDI shall report to Covered Entity any use or disclosure of PHI not permitted under this BAA BAA, Breach of Unsecured PHI or any Security Incident, without unreasonable delay, and in any event no more than thirty (30) days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Business Associate FDI to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Covered Entity by Business Associate FDI shall be required only upon request. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business AssociateFDI’s firewall, port scans, unsuccessful log-on log‐on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. Business AssociateFDI’s notification to Covered Entity of a Breach shall include: (i) the identification of each individual whose Unsecured PHI has been been, or is reasonably believed by Business Associate FDI to have been, accessed, acquired or disclosed during the Breach; and (ii) any particulars regarding the Breach that Covered Entity would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404.and