Common use of Reporting to Covered Entity Clause in Contracts

Reporting to Covered Entity. (1) For Successful Security Incidents and any other use or disclosure of PHI that is not permitted by this Agreement, the Agreement, by applicable law, or without the prior written approval of the Covered Entity, Business Associate – without unreasonable delay and in no event later than thirty (30) days after Business Associate learns of such non-permitted use or disclosure – shall provide Covered Entity a report that will: a. Identify (if known) each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired, or disclosed during such Breach; b. Identify the nature of the non-permitted access, use, or disclosure including the date of the incident and the date of discovery; c. Identify the PHI accessed, used, or disclosed (e.g., name; social security number; date of birth); d. Identify who made the non-permitted access, use, or received the non- permitted disclosure; e. Identify what corrective action Business Associate took or will take to prevent further non-permitted accesses, uses, or disclosures; f. Identify what Business Associate did or will do to mitigate any deleterious effect of the non-permitted access, use, or disclosure; and g. Provide such other information, including a written report, as the Covered Entity may reasonably request. (2) For Unsuccessful Security Incidents, Business Associate shall provide Covered Entity, upon its written request, a report that: (i) identifies the categories of Unsuccessful Security Incidents as described in Section 4(b)(iii)(4); (ii) indicates whether Business Associate believes its current defensive security measures are adequate to address all Unsuccessful Security Incidents, given the scope and nature of such attempts; and (iii) if the security measures are not adequate, the measures Business Associate will implement to address the security inadequacies.

Reporting to Covered Entity. (1a) For Successful Security Incidents and Business Associate will report to Covered Entity any other use or disclosure of PHI that is not permitted by this Agreement, the Agreement, by applicable law, or without the prior written approval Agreement of the Covered Entitywhich it becomes aware. (b) Following discovery of a Breach of Unsecured PHI, Business Associate – without unreasonable delay and in will report the Breach to Covered Entity no event later than thirty twenty-four (3024) days hours after Business Associate learns discovery of such non-permitted use or disclosure – shall provide Covered Entity a report that will:the Breach as provided in Section 13 of this Agreement related to notices. a. Identify (if i) The notification will include, to the extent known, (A) the identification of each individual whose Unsecured Protected Health Information PHI has been, or is reasonably believed by Business Associate to have been been, accessed, acquired, used or disclosed during such the Breach; b. Identify the nature ; and (B) a brief description of the non-permitted access, use, or disclosure what happened (including the date of the incident Breach and the date of discovery;discovery of the Breach), a description of the types of Unsecured PHI that were involved in the Breach, steps individuals should take to protect themselves from potential harm resulting from the Breach, and a brief description of what Business Associate is doing to investigate the Breach, mitigate harm to individuals, and protect against further Breaches. c. Identify (ii) If the information required in Section 4(b)(i) of this Agreement is not known at the time of notification to Covered Entity by Business Associate, the information shall be provided as promptly thereafter as the Information becomes available. (c) Business Associate will report to Covered Entity any Security Incident involving Electronic PHI accessed, used, or disclosed of which it becomes aware in accordance with the following procedures: (e.g., name; social security number; date of birth); d. Identify who made the non-permitted i) For successful Security Incidents (those that result in unauthorized access, use, disclosure, modification or received the non- permitted disclosure; e. Identify what corrective action destruction of information or interference with system operations), Business Associate took or promptly will take report to prevent further non-permitted accesses, uses, or disclosures;Covered Entity any successful Security Incidents of which it becomes aware. f. Identify what Business Associate did or will (ii) For unsuccessful Security Incidents (those that do to mitigate any deleterious effect of the non-permitted not result in unauthorized access, use, disclosure, modification or disclosure; and g. Provide such other informationdestruction of information or interference with system operations), including a written report, as the Covered Entity may reasonably request. (2) For and Business Associate agree that this paragraph constitutes notice of such Unsuccessful Security Incidents. By way of example, Business Associate shall provide Covered Entity, upon its written request, a report that: (i) identifies the categories Parties consider the following to be illustrative of Unsuccessful Security Incidents as described when they do not result in Section 4(b)(iii)(4); actual unauthorized access, use, disclosure, modification or destruction of Electronic PHI or interference with an information system that contains or processes Electronic PHI: (iiA) indicates whether Business Associate believes its current defensive security measures are adequate pings on a firewall, (B) port scans, (C) attempts to address all Unsuccessful Security Incidentslog on to a system or enter a database with an invalid password or username, given the scope and nature of such attempts; (D) denial-of-service attacks that do not result in a server being taken off-line, and (iiiE) if the security measures are not adequateMalware (worms, the measures viruses, etc.) (d) Business Associate will implement take reasonable measures to address mitigate, to the security inadequaciesextent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this Agreement.

Reporting to Covered Entity. (1) . For Successful Security Incidents and any other use or disclosure of PHI that is not permitted by this Agreement, the Agreement, by applicable law, or without the prior written approval of the Covered Entity, Business Associate – without unreasonable delay and in no event later than thirty fifteen (3015) days after Business Associate learns of such non-non- permitted use or disclosure – shall provide Covered Entity a report that will: a. Identify (if known) each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired, or disclosed during such Breach; b. Identify the nature of the non-permitted access, use, or disclosure including the date of the incident and the date of discovery; c. Identify the PHI accessed, used, or disclosed (e.g., name; social security number; date of birth); d. Identify who made the non-permitted access, use, or received the non- non-permitted disclosure; e. Identify what corrective action Business Associate took or will take to prevent further non-permitted accesses, uses, or disclosures; f. Identify what Business Associate did or will do to mitigate any deleterious effect of the non-permitted access, use, or disclosure; and g. Provide such other information, including a written report, as the Covered Entity may reasonably request. (2) . For Unsuccessful Security Incidents, Business Associate shall provide Covered Entity, upon its written request, a report that: (i) identifies the categories of Unsuccessful Security Incidents as described in Section 4(b)(iii)(43(b)(iii)(4); (ii) indicates whether Business Associate believes its current defensive security measures are adequate to address all Unsuccessful Security Incidents, given the scope and nature of such attempts; and (iii) if the security measures are not adequate, the measures Business Associate will implement to address the security inadequacies.

Reporting to Covered Entity. (1i) For Successful Security Incidents and any other use or disclosure of PHI or Personal Information that is not permitted by this Agreement, the AgreementArrangement, by applicable law, or without the prior written approval of the Covered Entity, Business Associate – Associate, without unreasonable delay and delay, but in no event later than thirty ten (3010) business days after Business Associate learns of such Successful Security Incident or non-permitted use or disclosure – disclosure, shall provide Covered Entity a report that will: a. Identify : (a.) Identify, if known) , each individual whose Unsecured Protected Health Information or Personal Information has been, or is reasonably believed by Business Associate to have been accessed, acquired, or disclosed during such Breach; b. ; (b) Identify the nature of the non-permitted access, use, or disclosure disclosure, including the date of the incident and the date of discovery; c. ; (c) Identify the PHI or Personal Information accessed, used, or disclosed (e.g., name; social security number; , date of birth); d. ; (d) Identify who made the non-non- permitted access, use, or received the non- non-permitted disclosure; e. (e) Identify what corrective action Business Associate took or will take to prevent further non-permitted accessesaccess, uses, use or disclosures; f. disclosure; (f) Identify what Business Associate did or will do to mitigate any deleterious effect of the non-permitted access, use, or disclosure; and g. and (g) Provide such other information, including a written report, as the Covered Entity may reasonably request. (2ii) For Unsuccessful Security Incidents, Business Associate shall provide Covered Entity, upon its written request, a report that: (ia) identifies the categories of Unsuccessful Security Incidents as described in Section 4(b)(iii)(4)2.2; (iib) indicates whether Business Associate believes its current defensive security measures are adequate to address all Unsuccessful Security Incidents, given the scope and nature of such attempts; and (iiic) if the security measures are not adequate, the measures Business Associate will implement to address the security inadequacies.