Common use of Reports on Security Incidents Clause in Contracts

Reports on Security Incidents. In addition to following the breach notification requirements in section 13402 of the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”), as amended, and related regulations, the Privacy Rule, the Security Rule, agency guidance and other applicable federal and state laws, Business Associate shall report to at , within two (2) days of discovery any security incident of which it becomes aware. At the sole expense of Business Associate, Business Associate shall comply with all federal and state breach notification requirements, including those applicable to Business Associate and those applicable to Covered Entity. Business Associate shall indemnify the Covered Entity for costs associated with any incident involving the acquisition, access, use or disclosure of Unsecured PHI in a manner not permitted under federal or state law and agency guidance. For purposes of the security incident reporting requirement, inconsequential unsuccessful incidents that occur on a daily basis, such as scans, “pings,” or other unsuccessful attempts to penetrate computer networks or servers containing electronic PHI maintained by Business Associate, need not be reported in accordance with this section, but may instead be reported in the aggregate on a monthly basis.

Reports on Security Incidents. In addition to following the breach notification requirements in section 13402 of the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”), as amended, and related regulations, the Privacy Rule, the Security Rule, agency guidance and other applicable federal and state laws, Business Associate shall report to at , within two three (23) business days of discovery any security incident of which it becomes aware. At the sole expense of Business Associate, Business Associate shall comply with all federal and state breach notification requirements, including those applicable to Business Associate and those applicable to Covered Entity. Business Associate shall indemnify the Covered Entity for costs associated with any incident involving the acquisition, access, use or disclosure of Unsecured PHI in a manner not permitted under federal or state law and agency guidance. For purposes of the security incident reporting requirement, inconsequential unsuccessful incidents that occur on a daily basis, such as scans, “pings,” or other unsuccessful attempts to penetrate computer networks or servers containing electronic PHI maintained by Business Associate, need not be reported in accordance with this section, but may instead be reported in the aggregate on a monthly basis.