Common use of Reporting of Improper Use or Disclosure, Security Incident or Breach Clause in Contracts

Reporting of Improper Use or Disclosure, Security Incident or Breach. FDI shall report to Covered Entity any use or disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI or Security Incident, without unreasonable delay, and in any event no more than thirty (30) days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by FDI to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Covered Entity by FDI shall be required only upon request. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on FDI’s firewall, port scans, unsuccessful log‐on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. FDI’s notification to Covered Entity of a Breach shall include: (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by FDI to have been, accessed, acquired or disclosed during the Breach; and

Reporting of Improper Use or Disclosure, Security Incident or Breach. FDI NORCAL shall report to Covered Entity any use or disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI or Security Incident, without unreasonable delay, and in any event no more than thirty (30) days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by FDI NORCAL to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Covered Entity by FDI NORCAL shall be required only upon request. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on FDINORCAL’s firewall, port scans, unsuccessful log‐on log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. FDINORCAL’s notification to Covered Entity of a Breach shall include: (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by FDI NORCAL to have been, accessed, acquired or disclosed during the Breach; andand (ii) any particulars regarding the Breach that Covered Entity would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404

Reporting of Improper Use or Disclosure, Security Incident or Breach. FDI NORCAL SPECIALTY shall report to Covered Entity any use or disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI or Security Incident, without unreasonable delay, and in any event no more than thirty (30) days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by FDI NORCAL SPECIALTY to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Covered Entity by FDI NORCAL SPECIALTY shall be required only upon request. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on FDINORCAL SPECIALTY’s firewall, port scans, unsuccessful log‐on log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. FDINORCAL SPECIALTY’s notification to Covered Entity of a Breach shall include: (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by FDI NORCAL SPECIALTY to have been, accessed, acquired or disclosed during the Breach; andand (ii) any particulars regarding the Breach that Covered Entity would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404

Reporting of Improper Use or Disclosure, Security Incident or Breach. FDI Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI BAA or any Security Incident, without unreasonable delay, and in any event no more than thirty (30) days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by FDI Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Covered Entity by FDI Business Associate shall be required only upon request. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on FDIBusiness Associate’s firewall, port scans, unsuccessful log‐on log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. FDIBusiness Associate’s notification to Covered Entity of a Breach shall include: (i) the identification of each individual whose Unsecured PHI has been, been or is reasonably believed by FDI Business Associate to have been, accessed, acquired or disclosed during the Breach; andand (ii) any particulars regarding the Breach that Covered Entity would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404.