Common use of Breach Response Clause in Contracts

Breach Response. (a) In general. (1) In the event of a breach of PII/PHI held by the Business Associate, the Business Associate shall report the breach to the Covered Entity in accordance with Section VII, assess the breach incident, take mitigation actions as applicable, and notify affected individuals, as directed by the Covered Entity. (2) The Business Associate shall coordinate all investigation actions with the Covered Entity, and at a minimum, follow the breach response requirements set forth in this Part V, which is designed to satisfy both the Privacy Act and HIPAA as applicable. If a breach involves PII without PHI, then the Business Associate shall comply with DoD Privacy Act Issuance breach response requirements only; if a breach involves PHI (a subset of PII), then the Business Associate shall comply with both Privacy Act and HIPAA breach response requirements. A breach involving PHI may or may not constitute an HHS Breach. If a breach is not an HHS Breach, then the Business Associate has no HIPAA breach response obligations. In such cases, the Business Associate must still comply with breach response requirements under the DoD Privacy Act Issuances. (3) The Business Associate shall, at no cost to the government, bear any costs associated with a breach of PII/PHI that the Business Associate has caused or is otherwise responsible for addressing.