Reporting of Security Incidents. Within two (2) business days of discovery, Business Associate will report to the Covered Entity any Security Incident that involves the (1) unpermitted acquisition, access, use, or disclosure of PHI; and/or (2)(a) modification or destruction of Electronic PHI or (b) interference with system operations in an information system containing Electronic PHI. For any other type of Security Incident, Business Associate shall report such incident to Covered Entity upon request. Such reports shall include a description of the incident, identification of any Individuals affected (if any), and the types of PHI involved (if any). The day the Security Incident is discovered or would have been discovered with the exercise of reasonable diligence will be considered the first business day of the reporting period.
Reporting of Security Incidents. Business Associate shall report to Covered Entity any Security Incident affecting EPHI created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity, of which Business Associate becomes aware. This Section constitutes notice to Covered Entity of routine and ongoing attempts to gain unauthorized access to Business Associate’s information systems (each an “Unsuccessful Attack”), including but not limited to pings, port scans, and denial of service attacks, for which no additional notice shall be required provided that no such incident results in unauthorized access to Electronic PHI.
Reporting of Security Incidents. The Business Associate shall track all Security Incidents as defined and as required by HIPAA and shall periodically report such Security Incidents in summary fashion as may be requested by the Covered Entity. The Covered Entity shall not consider as Security Incidents, for the purpose of reporting, external activities (port enumeration, etc.) typically associated with the “footprinting” of a computing environment as long as such activities have only identified but not compromised the logical network perimeter, including but not limited to externally facing firewalls and web servers. The Business Associate shall reasonably use its own vulnerability assessment of damage potential and monitoring to define levels of Security Incidents and responses for Business Associate’s operations. However, the Business Associate shall expediently notify the Covered Entity’s Privacy Officer of any related Security Incident, immediately upon becoming aware of any unauthorized acquisition including but not limited to use, disclosure, modification, or destruction of PHI by an employee or otherwise authorized user of its system of which it becomes aware.
3.4.1 Business Associate identifies the following key contact persons for all matters relating to this Agreement: Business Associate shall notify Covered Entity of any change in these key contacts during the term of this Agreement in writing within ten (10) business days.
Reporting of Security Incidents. Business Associate shall report any Security Incident promptly (but in no event later than 15 business days) upon becoming aware of such incident. However, the parties acknowledge and agree that this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no further notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.
Reporting of Security Incidents. Business Associate agrees to report to Covered Entity any successful Security Incident affecting PHI in the possession of Business Associate of which it becomes aware. Such report shall be made as soon as possible, but in no event later than ten (10) business days following the date that the Business Associate becomes aware of such successful Security Incident. Business Associate shall report any Security Incident that is attempted but not successful of which it becomes aware only upon receipt of a written request from Covered Entity.
Reporting of Security Incidents. Business Associate must immediately report to Covered Entity as soon as practicable, but not later than five (5) business days, after becoming aware of any Security Incident. Business Associate will provide Covered Entity with all information related to
Reporting of Security Incidents. The Business Associate shall track all security incidents as defined by HIPAA. The Business Associate shall reasonably use its own vulnerability assessment of damage potential and monitoring to define levels of Security Incidents and responses for Business Associate’s operations. However, the Business Associate shall expediently notify the Covered Entity’s Privacy Officer of any Security Incident which would constitute a Security Event as defined by this Agreement, including any “breach of the security of the system" under T.C.A. § 47-18-2107, in a preliminary report within five (5) business days of any unauthorized acquisition including, but not limited to, use, disclosure, modification, or destruction of PHI by an employee or otherwise authorized user of its system of which it becomes aware with a full report of the incident within ten (10) business days of the time it became aware of the incident.
3.5.1 Business Associate shall identify in writing key contact persons for administration, data processing, marketing, information systems and audit reporting. Upon request, Business Associate shall notify Covered Entity of any reduction of in-house staff persons during the term of this Agreement in writing within ten (10) business days.
Reporting of Security Incidents. DELOITTE will report to ETF any security incident of which DELOITTE becomes aware, that directly and materially involves member information, within three (3) business days after becoming aware of the incident. For the purposes of this subsection, a “security incident” that “directly and materially” involves member information means that the incident involves direct access to Personal Information, Individual Personal Information, Medical Records, or Protected Health Information that is not allowed by this Addendum or that violates 45 C.F.R. Part 164.
Reporting of Security Incidents. The BA shall track all “Security Incidents” as defined by HIPAA and shall periodically report such security incidents in summary fashion as may be requested by FHKC, but not less than annually within sixty (60) days of each anniversary of this Agreement. The BA shall reasonably use its own vulnerability assessment of damage potential and monitoring to define levels of Security Incidents and responses for BA’s operations. However, the BA shall expediently notify FHKC’s Privacy Officer of any “Security Incident” which would constitute a “Security Event” as defined by this Agreement, including any “breach of the security of the system" under section 817.5681, Florida Statutes, in a preliminary report within two (2) business days, with a full report of the incident not less than five (5) business days of the time it became aware of the incident. The BA shall likewise notify FHKC in a preliminary report within two (2) business days of any unauthorized acquisition including but not limited to internal user access to non-test records reported to BA’s privacy manager, and any use, disclosure, modification, or destruction of PHI by an employee or otherwise authorized user of its system of which it becomes aware with a full report of the incident not less than five (5) business days from the time it became aware of the incident. BA shall identify in writing key contact persons for administration, data processing, marketing, information systems and audit reporting within thirty (30) days of the execution of this Agreement. BA shall notify FHKC of any reduction of in-house staff during the term of this Agreement, in writing, within ten (10) business days. BA will adhere to all Privacy and Security provisions in the HITECH Act as passed as part of the American Recovery and Reinvestment Act of 2009 (“ARRA”) under Sections 13401 and 13404. BA shall notify each individual whose Unsecured Protected Health Information has been or is reasonably believed by the BA to have been accessed, acquired, used, or disclosed as a result of a breach, except when law enforcement requires a delay pursuant to 45 CFR 164.412. BA shall notify such individuals without unreasonable delay, and in no case later than sixty (60) days after discovery of the breach, as follows: By written notice in plain language including, to the extent possible: o A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; o A description of the t...
Reporting of Security Incidents. Business Associate will report to Customer on no less than fourteen business (14) days from the date any Security Incidents involving PHI of which Business Associate becomes aware in which there is a successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System in a manner that risks the confidentiality, integrity, or availability of such information. Notice is hereby deemed provided, and no further notice will be provided, for unsuccessful attempts at such unauthorized access, use, disclosure, modification, or destruction, such as pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above.
