Reporting of Security Incidents. The Business Associate shall track all Security Incidents as defined and as required by HIPAA and shall periodically report such Security Incidents in summary fashion as may be requested by the Covered Entity. The Covered Entity shall not consider as Security Incidents, for the purpose of reporting, external activities (port enumeration, etc.) typically associated with the “footprinting” of a computing environment as long as such activities have only identified but not compromised the logical network perimeter, including but not limited to externally facing firewalls and web servers. The Business Associate shall reasonably use its own vulnerability assessment of damage potential and monitoring to define levels of Security Incidents and responses for Business Associate’s operations. However, the Business Associate shall expediently notify the Covered Entity’s Privacy Officer of any related Security Incident, immediately upon becoming aware of any unauthorized acquisition including but not limited to use, disclosure, modification, or destruction of PHI by an employee or otherwise authorized user of its system of which it becomes aware.
Appears in 10 contracts
Samples: Hipaa Business Associate Agreement (American Well Corp), Grant Contract, Trading Partner Agreement
