Common use of Reporting Security Incidents Clause in Contracts

Reporting Security Incidents. Business Associate shall report any Security Incident of which it is aware, following the same reporting obligations described above; provided, however, the parties acknowledge the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) which are trivial in nature. The parties agree that this BAA serves as notice of the existence of such Unsuccessful Security Incidents and that no further notice is required except as described below. “Unsuccessful Security Incidents” shall include, but are not limited to, pings and other broadcast attacks on BA’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above. To the extent that BA becomes aware of an unusually high number of such Unsuccessful Security Incidents due to the repeated acts of a single party, Business Associate shall notify Covered Entity of the Unsuccessful Security Incidents and provide the name, if available, of said party. At the request of Covered Entity, Business Associate shall identify the date of the Security Incident, the scope of the Security Incident, Business Associate’s response to the Security Incident, and the identification of the party responsible for causing the Security Incident, if known. Cooperation with Violations. Business Associate will cooperate with Covered Entity’s investigation and/or risk assessment with respect to any report made pursuant to Section 2.5, will abide by Covered Entity’s decision with respect to whether such acquisition, access, Use or Disclosure constitutes a Breach of PHI and will follow Covered Entity’s instructions with respect to any event reported to Covered Entity by Business Associate pursuant to Section 2.5. Business Associate shall maintain complete records regarding any event requiring reporting for the period required by 45 C.F.R. 164.530(j) or such longer period as may be required by state law and shall make such records available to Covered Entity promptly upon request but in no event later than within five (5) business days.

Reporting Security Incidents. Business Associate shall will report any Security Incident of which it is aware, following the same reporting obligations described above; provided, however, the parties acknowledge the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) which are trivial security incidents that materially interfere with an information system used in nature. The parties agree that this BAA serves as notice of the existence of such Unsuccessful Security Incidents and that no further notice is required except as described below. “Unsuccessful Security Incidents” shall include, but are not limited to, pings and other broadcast attacks on BA’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above. To the extent that BA becomes aware of an unusually high number of such Unsuccessful Security Incidents due to the repeated acts of a single party, Business Associate shall notify Covered Entity of the Unsuccessful Security Incidents and provide the name, if available, of said party. At the request of Covered Entity, Business Associate shall identify the date of the Security Incident, the scope of the Security Incident, Business Associate’s response to the Security Incident, and the identification of the party responsible for causing the Security Incident, if known. Cooperation connection with ViolationsPHI. Business Associate will cooperate with Covered Entity’s investigation and/or risk assessment with respect report those security incidents to any report made pursuant to Section 2.5, will abide by Covered Entity’s decision with respect to whether such acquisition, access, Use or Disclosure constitutes a Breach of PHI and will follow Covered Entity’s instructions with respect to any event reported to Covered Entity by Business Associate pursuant to Section 2.5. Business Associate shall maintain complete records regarding any event requiring reporting for the period required by 45 C.F.R. 164.530(j) or such longer period as may be required by state law and shall make such records available to Covered Entity promptly upon request but in no event later than HCA within five (5) business daysdays of their discovery by Business Associate. If such an incident is also a Breach or may be a Breach, subsection 3 applies instead of this provision. Access Attempts shall be recorded in Business Associate’s system logs. Access Attempts are not categorically considered unauthorized Use or Disclosure, but Access Attempts do fall under the definition of Security Incident and Business Associate is required to report them to HCA. Since Business Associate’s reporting and HCA’s review of all records of Access Attempts would be materially burdensome to both parties without necessarily reducing risks to information systems or PHI, the parties agree that Business Associate will review logs and other records of Access Attempts, will investigate events where it is not clear whether or not an apparent Access Attempt was successful, and determine whether an Access Attempt: a. Was in fact a “successful” unauthorized Access to, or unauthorized Use, Disclosure, modification, or destruction of PHI subject to this Agreement, or b. Resulted in material interference with Business Associate’s information system used with respect to PHI subject to this Agreement, or c. Caused an unauthorized Use or Disclosure. Subject to Business Associate’s performance as described herein. This provision shall serve as Business Associate’s notice to HCA that Access Attempts will occur and are anticipated to continue occurring with respect to Business Associate’s information systems. HCA acknowledges this notification, and Business Associate is not required to provide further notification of Access Attempts unless they are successful as described in this Section 2 in which case Business Associate will report them in accordance with this Section 2.

Reporting Security Incidents. 2.3.1 Business Associate shall will report any Security Incident of which it is aware, following the same reporting obligations described above; provided, however, the parties acknowledge the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) which are trivial security incidents that materially interfere with an information system used in nature. The parties agree that this BAA serves as notice of the existence of such Unsuccessful Security Incidents and that no further notice is required except as described below. “Unsuccessful Security Incidents” shall include, but are not limited to, pings and other broadcast attacks on BA’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above. To the extent that BA becomes aware of an unusually high number of such Unsuccessful Security Incidents due to the repeated acts of a single party, Business Associate shall notify Covered Entity of the Unsuccessful Security Incidents and provide the name, if available, of said party. At the request of Covered Entity, Business Associate shall identify the date of the Security Incident, the scope of the Security Incident, Business Associate’s response to the Security Incident, and the identification of the party responsible for causing the Security Incident, if known. Cooperation connection with ViolationsPHI. Business Associate will cooperate report those security incidents to HCA within five days of their discovery by Business Associate. If such an incident is also a Breach or may be a Breach, subsection 2.4 applies instead of this provision. 2.3.2 Access Attempts shall be recorded in Business Associate’s system logs. Access Attempts are not categorically considered unauthorized Use or Disclosure, but Access Attempts do fall under the definition of Security Incident and Business Associate is required to report them to HCA. Since Business Associate’s reporting and HCA’s review of all records of Access Attempts would be materially burdensome to both parties without necessarily reducing risks to information systems or PHI, the parties agree that Business Associate will review logs and other records of Access Attempts, will investigate events where it is not clear whether or not an apparent Access Attempt was successful, and determine whether an Access Attempt: a. Was in fact a “successful” unauthorized Access to, or unauthorized Use, Disclosure, modification, or destruction of PHI subject to this Agreement, or b. Resulted in material interference with Covered EntityBusiness Associate’s investigation and/or risk assessment information system used with respect to any report made pursuant PHI subject to Section 2.5this Agreement, or c. Caused an unauthorized Use or Disclosure. 2.3.3 Subject to Business Associate’s performance as described in 2.3.2., this provision shall serve as Business Associate’s notice to HCA that Access Attempts will abide by Covered Entity’s decision occur and are anticipated to continue occurring with respect to whether such acquisitionBusiness Associate’s information systems. HCA acknowledges this notification, access, Use or Disclosure constitutes a Breach of PHI and will follow Covered Entity’s instructions with respect to any event reported to Covered Entity by Business Associate pursuant is not required to provide further notification of Access Attempts unless they are successful as described in Section 2.52.3.2. above, in which case Business Associate shall maintain complete records regarding any event requiring reporting for the period required by 45 C.F.R. 164.530(j) will report them in accordance with Section 2.3.1 or such longer period as may be required by state law and shall make such records available to Covered Entity promptly upon request but in no event later than within five (5) business daysSection 2.4.

Reporting Security Incidents. Business Associate shall A. Company agrees to the following reporting procedures for Security Incidents that result in unauthorized access, use, disclosure, modification or destruction of EPHI or interference with system operations (“Successful Security Incidents”) and for security incidents that do not result in unauthorized access, use, disclosure, modification or destruction of EPHI or interference with system operations (“Unsuccessful Security Incidents”.) In the event that a Successful Security Incident involves EPHI, then Company will also be required to submit a breach report as required by Subsection 6.A and 6.B, in addition to the report described below in Section 7.B. B. Company will report to Covered Entity any Successful Security Incident of which it is aware, following the same reporting obligations described above; provided, however, the parties acknowledge the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) which are trivial in nature. The parties agree that this BAA serves as notice of the existence of such Unsuccessful Security Incidents and that no further notice is required except as described below. “Unsuccessful Security Incidents” shall include, but are not limited to, pings and other broadcast attacks on BA’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above. To the extent that BA becomes aware of an unusually high number within ten (10) business days. At a minimum such report will contain the following information: 1. Date and time when the security incident occurred and/or was discovered 2. Name(s) of system(s), program(s), or network(s) affected by the security incident 3. Preliminary impact analysis 4. Description of and scope of EPHI used, disclosed, modified, or destroyed by the security incident 5. Description of any mitigation steps taken 6. Company will provide the report to the CareFirst Security Official at 00000 Xxxx Xxx Xxxxxx, Xxxxxx Xxxxx, XX 00000 and to the individual specified under the Notice Provision in the Agreement and will send such report by traceable carrier. C. To avoid unnecessary burden on either party, Company will report to Covered Entity any Unsuccessful Security Incidents due to the repeated acts Incident of a single party, Business Associate shall notify Covered Entity which it becomes aware of the Unsuccessful Security Incidents and provide the name, if available, of said party. At the only upon request of Covered Entity. The frequency, Business Associate shall identify content and the date format of the Security Incident, report of unsuccessful security incidents will be mutually agreed upon by the scope of the Security Incident, Business Associate’s response to the Security Incident, and the identification of the party responsible for causing the Security Incident, if known. Cooperation with Violations. Business Associate will cooperate with Covered Entity’s investigation and/or risk assessment with respect to any report made pursuant to Section 2.5, will abide by Covered Entity’s decision with respect to whether such acquisition, access, Use or Disclosure constitutes a Breach of PHI and will follow Covered Entity’s instructions with respect to any event reported to Covered Entity by Business Associate pursuant to Section 2.5. Business Associate shall maintain complete records regarding any event requiring reporting for the period required by 45 C.F.R. 164.530(j) or such longer period as may be required by state law and shall make such records available to Covered Entity promptly upon request but in no event later than within five (5) business daysparties.

Reporting Security Incidents. Business Associate shall A. Agent agrees to the following reporting procedures for Security Incidents that result in unauthorized access, use, disclosure, modification or destruction of EPHI or interference with system operations (“Successful Security Incidents”) and for security incidents that do not result in unauthorized access, use, disclosure, modification or destruction of EPHI or interference with system operations (“Unsuccessful Security Incidents”.) In the event that a Successful Security Incident involves EPHI, then Agent will also be required to submit a breach report as required by Subsection 6.B and 6.C, in addition to the report described below in Section 7.B. B. Agent will report to Covered Entity any Successful Security Incident of which it is aware, following the same reporting obligations described above; provided, however, the parties acknowledge the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) which are trivial in nature. The parties agree that this BAA serves as notice of the existence of such Unsuccessful Security Incidents and that no further notice is required except as described below. “Unsuccessful Security Incidents” shall include, but are not limited to, pings and other broadcast attacks on BA’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above. To the extent that BA becomes aware of an unusually high number within ten (10) days. At a minimum such report will contain the following information: 1. Date and time when the security incident occurred and/or was discovered 2. Name(s) of system(s), program(s), or network(s) affected by the security incident 3. Preliminary impact analysis 4. Description of and scope of EPHI used, disclosed, modified, or destroyed by the security incident 5. Description of any mitigation steps taken 6. Agent will provide the report to the CareFirst Security Official at 00000 Xxxx Xxx Xxxxxx, Xxxxxx Xxxxx, XX 00000 and to the individual specified under the Notice Provision in the Agreement and will send such report by traceable carrier. C. To avoid unnecessary burden on either party, Agent will report to Covered Entity any Unsuccessful Security Incidents due to the repeated acts Incident of a single party, Business Associate shall notify Covered Entity which it becomes aware of the Unsuccessful Security Incidents and provide the name, if available, of said party. At the only upon request of Covered Entity. The frequency, Business Associate shall identify content and the date format of the Security Incident, report of unsuccessful security incidents will be mutually agreed upon by the scope of the Security Incident, Business Associate’s response to the Security Incident, and the identification of the party responsible for causing the Security Incident, if known. Cooperation with Violations. Business Associate will cooperate with Covered Entity’s investigation and/or risk assessment with respect to any report made pursuant to Section 2.5, will abide by Covered Entity’s decision with respect to whether such acquisition, access, Use or Disclosure constitutes a Breach of PHI and will follow Covered Entity’s instructions with respect to any event reported to Covered Entity by Business Associate pursuant to Section 2.5. Business Associate shall maintain complete records regarding any event requiring reporting for the period required by 45 C.F.R. 164.530(j) or such longer period as may be required by state law and shall make such records available to Covered Entity promptly upon request but in no event later than within five (5) business daysparties.