Common use of Reporting Security Incidents and Non-Permitted Use or Disclosure Clause in Contracts

Reporting Security Incidents and Non-Permitted Use or Disclosure. Business Associate shall report to Covered Entity in writing each Security Incident or Use or Disclosure that is made by Business Associate, members of its Workforce or Subcontractors that is not specifically permitted by this BAA no later than three (3) business days after becoming aware of such Security Incident or non-permitted Use or Disclosure, in accordance with the notice provisions set forth herein. Business Associate shall investigate each Security Incident or non-permitted Use or Disclosure of Covered Entity’s PHI that it discovers to determine whether such Security Incident or non-permitted Use or Disclosure constitutes a reportable Breach of Unsecured PHI. Business Associate shall document and retain records of its investigation of any Breach, including its reports to Covered Entity under this Section 2.5.1. Upon request of Covered Entity, Business Associate shall furnish to Covered Entity the documentation of its investigation and an assessment of whether such Security Incident or non-permitted Use or Disclosure constitutes a reportable Breach. If such Security Incident or non-permitted Use or Disclosure constitutes a reportable Breach of Unsecured PHI, then Business Associate shall comply with the additional requirements of Section 2.5.2 below.

Reporting Security Incidents and Non-Permitted Use or Disclosure. Business Associate shall report to Covered Entity in writing each confirmed Security Incident or Use or Disclosure that is made by Business Associate, members of its Workforce Workforce, or Subcontractors that is not specifically permitted by this BAA no later than three ten (310) business days after becoming aware of confirming such Security Incident or non-permitted Use or Disclosure, in accordance with the notice provisions set forth herein. Business Associate shall investigate each Security Incident or non-permitted Use or Disclosure of Covered Entity’s PHI that it discovers to determine whether such Security Incident or non-permitted Use or Disclosure constitutes a reportable Breach of Unsecured PHI. Business Associate shall document and retain records of its investigation of any Breach, including its reports to Covered Entity under this Section 2.5.1. Upon written request of by Covered Entity, Business Associate shall furnish to Covered Entity the documentation of its investigation and an assessment of whether such Security Incident or non-permitted Use or Disclosure constitutes a reportable Breach. If such Security Incident or non-permitted Use or Disclosure constitutes a reportable Breach of Unsecured PHI, then Business Associate shall comply with the additional requirements of Section 2.5.2 below.

Reporting Security Incidents and Non-Permitted Use or Disclosure. Business Associate shall report to Covered Entity in writing each Security Incident security incident or Use use or Disclosure disclosure that is made by Business Associate, members of its Workforce workforce, or Subcontractors subcontractors that is not specifically permitted by this BAA BAA, no later than three (3) business days after becoming aware of such Security Incident security incident or non-permitted Use use or Disclosuredisclosure, in accordance with the notice provisions set forth herein. Business Associate shall investigate each Security Incident security incident or non-permitted Use use or Disclosure disclosure of Covered Entity’s PHI that it discovers discovers, to determine whether such Security Incident security incident or non-non- permitted Use use or Disclosure disclosure constitutes a reportable Breach breach of Unsecured unsecured PHI. Business Associate shall document and retain records of its investigation of any Breachbreach, including its reports to Covered Entity under this Section 2.5.1. Upon request of Covered Entity, Business Associate shall furnish to Covered Entity the documentation of its investigation and an assessment of whether such Security Incident security incident or non-permitted Use use or Disclosure disclosure constitutes a reportable Breachbreach. If such Security Incident security incident or non-permitted Use use or Disclosure disclosure constitutes a reportable Breach breach of Unsecured unsecured PHI, then Business Associate shall comply with the additional requirements of Section 2.5.2 below.

Reporting Security Incidents and Non-Permitted Use or Disclosure. Business Associate 2 shall report to Covered Entity Business Associate 1 in writing each Security Incident or Use or Disclosure that is made by Business AssociateAssociate 2, members of its Workforce or Subcontractors that is not specifically permitted by this BAA no later than three (3) business days after becoming aware of such Security Incident or non-permitted Use or Disclosure, in accordance with the notice provisions set forth herein. Business Associate 2 shall investigate each Security Incident or non-permitted Use or Disclosure of Covered EntityBusiness Associate 1’s PHI that it discovers to determine whether such Security Incident or non-permitted Use or Disclosure constitutes a reportable Breach of Unsecured PHI. Business Associate 2 shall document and retain records of its investigation of any Breach, including its reports to Covered Entity Business Associate 1 under this Section 2.5.1. Upon request of Covered EntityBusiness Associate 1, Business Associate 2 shall furnish to Covered Entity Business Associate 1 the documentation of its investigation and an assessment of whether such Security Incident or non-permitted Use or Disclosure constitutes a reportable Breach. If such Security Incident or non-permitted Use or Disclosure constitutes a reportable Breach of Unsecured PHI, then Business Associate 2 shall comply with the additional requirements of Section 2.5.2 below.

Reporting Security Incidents and Non-Permitted Use or Disclosure. Business Associate shall report to Covered Entity in writing each Security Incident or Use use or Disclosure disclosure that is made by Business Associate, members of its Workforce workforce, or Subcontractors subcontractors that is not specifically permitted by this BAA BAA, no later than three (3) business days after becoming aware of such Security Incident security incident or non-non- permitted Use use or Disclosuredisclosure, in accordance with the notice provisions set forth herein. Business Associate shall investigate each Security Incident security incident or non-permitted Use use or Disclosure disclosure of Covered Entity’s PHI that it discovers discovers, to determine whether such Security Incident security incident or non-permitted Use use or Disclosure disclosure constitutes a reportable Breach breach of Unsecured unsecured PHI. Business Associate shall document and retain records of its investigation of any Breach, including its reports to Covered Entity under this Section 2.5.1. Upon request of Covered Entity, Business Associate shall furnish to Covered Entity the documentation of its investigation and an assessment of whether such Security Incident security incident or non-permitted Use use or Disclosure disclosure constitutes a reportable Breach. If such Security Incident security incident or non-permitted Use use or Disclosure disclosure constitutes a reportable Breach breach of Unsecured unsecured PHI, then Business Associate shall comply with the additional requirements of Section 2.5.2 below.

Reporting Security Incidents and Non-Permitted Use or Disclosure. Business Associate shall report to Covered Entity in writing each Security Incident or Use or Disclosure that is made by Business Associate, members of its Workforce or Subcontractors that is not specifically permitted by this BAA no later than three (3) business days after becoming aware of such Security Incident or non-permitted Use or Disclosure, in accordance with the notice provisions set forth herein. Business Associate shall investigate each Security Incident or non-permitted Use or Disclosure of Covered Entity’s PHI that it discovers to determine whether such Security Incident or non-non- permitted Use or Disclosure constitutes a reportable Breach of Unsecured PHI. Business Associate shall document and retain records of its investigation of any Breach, including its reports to Covered Entity under this Section 2.5.1. Upon request of Covered Entity, Business Associate shall furnish to Covered Entity the documentation of its investigation and an assessment of whether such Security Incident or non-permitted Use or Disclosure constitutes a reportable Breach. If such Security Incident or non-permitted Use or Disclosure constitutes a reportable Breach of Unsecured PHI, then Business Associate shall comply with the additional requirements of Section 2.5.2 below.