Reporting Security Incidents Sample Clauses

Reporting Security Incidents. The Business Associate will report to the County any Incident of which the Business Associate becomes aware that is: 1. a successful unauthorized access, use or disclosure of Electronic PHI or PII; 2. a modification or destruction of electronic PHI or PII; or

Reporting Security Incidents. Business Associate shall report to Covered Entity any Security Incident of which it becomes aware, in the following time and manner: (a) Any actual, successful Security Incident will be reported to Covered Entity in writing, within five (5) business days of the date on which Business Associate becomes aware of such Security Incident (b) Any attempted, unsuccessful Security Incident of which Business Associate becomes aware will be reported to Covered Entity in writing, on a reasonable basis, at the written request of Covered Entity. If the Security Rule is amended to remove the requirement to report unsuccessful attempts at unauthorized access, this subsection (ii) shall no longer apply as of the effective date of the amendment of the Security Rule.

Reporting Security Incidents. CONTRACTOR agrees to report to THE COUNTY any Security Incident immediately upon becoming aware of such. CONTRACTOR further agrees to provide THE COUNTY with the following information regarding the Security Incident as soon as possible, but no more than five (5) business days after becoming aware of the Security Incident: (1) a brief description of what happened, including the dates the Security Incident occurred and was discovered; (2) a reproduction of the PHI or EPHI involved in the Security Incident; and (3) a description of whether and how the PHI or EPHI involved in the Security Incident was rendered unusable, unreadable, or indecipherable to unauthorized individuals either by encryption or otherwise destroying the PHI or EPHI prior to disposal. If CONTRACTOR determines that it is infeasible to reproduce the PHI or EPHI involved in the Security Incident, CONTRACTOR agrees to notify THE COUNTY in writing of the conditions that make reproduction infeasible and any information CONTRACTOR has regarding the PHI or EPHI involved. CONTRACTOR agrees to cooperate in a timely fashion with THE COUNTY regarding all Security Incidents reported to THE COUNTY. CONTRACTOR agrees that THE COUNTY will review all Security Incidents reported by CONTRACTOR and THE COUNTY, in its sole discretion, will take steps in response, to the extent necessary or required by law including, but not limited to, (1) notifying the individual(s) whose PHI or EPHI was involved in the Security Incident, either in writing, via telephone, through the media, or by posting a notice on THE COUNTY’s website, or through a combination of those methods, of the Security Incident; (2) providing the individual(s) whose PHI or EPHI was involved in the Security Incident with credit monitoring and related services for a period of time to be determined by THE COUNTY, at no cost to the individual(s); and (3) providing notice of the Security Incident, as required by law, to the Secretary of the United States Department of Health and Human Services (“HHS”). CONTRACTOR agrees to reimburse THE COUNTY for all expenses incurred as a result of CONTRACTOR’s Security Incidents, including, but not limited to, expenses related to the activities described above. CONTRACTOR agrees that THE COUNTY will select the contractors and negotiate the contracts related to said expenses.

Reporting Security Incidents. Business Associate shall report any Security Incident of which it is aware, following the same reporting obligations described above; provided, however, the parties acknowledge the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) which are trivial in nature. The parties agree that this BAA serves as notice of the existence of such Unsuccessful Security Incidents and that no further notice is required except as described below. “Unsuccessful Security Incidents” shall include, but are not limited to, pings and other broadcast attacks on BA’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above. To the extent that BA becomes aware of an unusually high number of such Unsuccessful Security Incidents due to the repeated acts of a single party, Business Associate shall notify Covered Entity of the Unsuccessful Security Incidents and provide the name, if available, of said party. At the request of Covered Entity, Business Associate shall identify the date of the Security Incident, the scope of the Security Incident, Business Associate’s response to the Security Incident, and the identification of the party responsible for causing the Security Incident, if known. Cooperation with Violations. Business Associate will cooperate with Covered Entity’s investigation and/or risk assessment with respect to any report made pursuant to Section 2.5, will abide by Covered Entity’s decision with respect to whether such acquisition, access, Use or Disclosure constitutes a Breach of PHI and will follow Covered Entity’s instructions with respect to any event reported to Covered Entity by Business Associate pursuant to Section 2.5. Business Associate shall maintain complete records regarding any event requiring reporting for the period required by 45 C.F.R. 164.530(j) or such longer period as may be required by state law and shall make such records available to Covered Entity promptly upon request but in no event later than within five (5) business days.

Reporting Security Incidents. Unless otherwise specified in the Authorized User Agreement, Contractor shall report any Security Incidents to the Authorized User in the manner prescribed in ITS Policy NYS-P03-002 Information Security Policy and associated standards ITS Policy NYS-S13-005 Cyber Incident Response Standard (or successor policy(ies)).

Reporting Security Incidents. BUSINESS ASSOCIATE agrees to immediately report to the COUNTY any security incident of which it becomes aware. Security incidents include attempted or successful unauthorized access, use disclosure, modification, or destruction of information or interference with system operations in an information system.

Reporting Security Incidents. VENDOR agrees to report to Community any Security Incident immediately upon becoming aware of such. VENDOR further agrees to provide Community with the following information regarding the Security Incident as soon as possible, but no more than five (5) business days after becoming aware of the Security Incident: (1) a brief description of what happened, including the dates the Security Incident occurred and was discovered;

Reporting Security Incidents. 2.3.1. Business Associate will report Security Incidents that materially interfere with an information system used in connection with PHI. Business Associate will report those Security Incidents to HCA within five (5) Business Days of their discovery by Business Associate. If such an incident is also a Breach or may be a Breach, subsection 2.4, Breach Notification applies instead of this provision. 2.3.2. Access Attempts shall be recorded in Business Associate’s system logs. Access Attempts are not categorically considered unauthorized Use or Disclosure, but Access Attempts do fall under the definition of Security Incident and Business Associate is required to report them to HCA. Since Business Associate’s reporting and HCA’s review of all records of Access Attempts would be materially burdensome to both parties without necessarily reducing risks to information systems or PHI, the parties agree that Business Associate will review logs and other records of Access Attempts, will investigate events where it is not clear whether or not an apparent Access Attempt was successful, and determine whether an Access Attempt: 2.3.2.1. Was in fact a “successful” unauthorized Access to, or unauthorized Use, Disclosure, modification, or destruction of PHI subject to this Agreement; or 2.3.2.2. Resulted in material interference with Business Associate’s information system used with respect to PHI subject to this Agreement; or 2.3.2.3. Caused an unauthorized Use or Disclosure. 2.3.3. Subject to Business Associate’s performance as described in subsection 2.3.2., this provision shall serve as Business Associate’s notice to HCA that Access Attempts will occur and are anticipated to continue occurring with respect to Business Associate’s information systems. HCA acknowledges this notification, and Business Associate is not required to provide further notification of Access Attempts unless they are successful as described in Section 2.3.2. above, in which case Business Associate will report them in accordance with subsection 2.3.1 or Section 2.4, Breach Notification.

Reporting Security Incidents. Business Associate will report to the Covered Entity any Security Incident of which Business Associate becomes aware that is (1) a successful unauthorized access, use or disclosure of any Electronic Protected Health Information; or

Reporting Security Incidents. Business Associate will report to the Covered Entity any Security Incident of which Business Associate becomes aware that is (1) a successful unauthorized access, use or disclosure of any Electronic Protected Health Information; or (2) a successful major (a) modification or destruction of any Electronic Protected Health Information or (b) interference with system operations in an information system containing any Electronic Protected Health Information. Upon the Covered Entity’s request, Business Associate will report any incident of which Business Associate becomes aware that is a successful minor (a) modification or destruction of any Electronic Protected Health Information or (b) interference with system operations in an information system containing any Electronic Protected Health Information.