What constitutes a breach of PHI?
A breach is defined as the "unauthorized acquisition, access, use, or disclosure" of PHI that can compromise the privacy and/or security of this information. If, however, the PHI is "unusable, unreadable, or indecipherable", no notification is required.
A breach is considered discovered when the incident in which there is an impermissible use or disclosure becomes known or should have become known, if the provider was reasonably diligent and had implemented a reasonable system for discovery of breaches. Knowledge of a breach by a workforce member (employees, volunteers, trainees, and other persons who works for a covered entity regardless of whether they are paid) or other agents, such as certain business associates, are attributed to the covered entity itself. Thus, health care providers have the responsibility to train workforce members and agents on how to report incidents that may comprise privacy and security of PHI, the importance of doing this promptly, and the consequences of not doing so.
In the event of a potential breach, covered entities, such as health care providers, need to perform a risk assessment to determine if a breach occurred and to notify the affected individuals, the media, and the government, as appropriate. Covered entities and business associates have the burden of proof to demonstrate that all required notifications were or that a use or disclosure of unsecured protected health information did not constitute a breach and thus no notifications were required.
E-mail the HealthIT e-mail box: firstname.lastname@example.org