Common use of Reporting of Improper Use or Disclosure Clause in Contracts

Reporting of Improper Use or Disclosure. Business Associate shall report to Covered Entity, as soon as reasonably practicable, any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including breaches of Unsecured Protected Health Information (as defined in the Privacy and Security Rules). Knowledge of any improper use or disclosure by an agent or subcontractor of Business Associate shall not be imputed to Business Associate unless and until such agent or subcontractor shall have reported such improper use or disclosure to the Business Associate representative responsible for the Covered Entity engagement. With respect to Electronic PHI, Business Associate shall, as soon as reasonably practicable, report to Covered Entity any Security Incident. The parties acknowledge and agree that this Section 3.b. constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined herein) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.

Reporting of Improper Use or Disclosure. Business Associate shall report to Covered Entity, as soon as reasonably practicable, any use or disclosure of PHI not provided for by this Agreement BAA of which it becomes aware, including breaches of Unsecured Protected Health Information (as defined in the Privacy and Security Rules). Knowledge of any improper use or disclosure by an agent or subcontractor of Business Associate shall not be imputed to Business Associate unless and until such agent or subcontractor shall have reported such improper use or disclosure to the Business Associate representative responsible for the Covered Entity engagement. With respect to Electronic PHI, Business Associate shall, as soon as reasonably practicable, report to Covered Entity any Security Incident. The parties acknowledge and agree that this Section 3.b. constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined herein) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.