Implementation of Safeguards; Notice of Security Incidents. Business Associate shall use appropriate safeguards to prevent the use or disclosure of PHI other than pursuant to the terms and conditions of this Addendum and comply with applicable provisions of 45 C.F.R. Part 164, Subpart C with respect to ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. Business Associate will notify Covered Entity of any use or disclosure of PHI of which Business Associate becomes aware that violates the HIPAA Regulations, the terms of the Agreement or this Addendum. Business Associate will report to Covered Entity any Security Incident of which it becomes aware. Notwithstanding the foregoing, the parties acknowledge and agree that this subsection (h) constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. Unsuccessful Security Incidents means, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Covered Entity’s ePHI.
