The javascript used on this site for creative design effects is not supported by your browser. Please note that this will not affect access to the content on this web site.
Skip Navigation
H H S Department of Health and Human Services
U.S. Department of Health and Human Services
Health Information Technology and Quality
Improvement

A-Z Index  |  Questions?  |  Order Publications  |  HRSA Mobile

What constitutes a breach of PHI?

A breach is defined as the "unauthorized acquisition, access, use, or disclosure" of PHI that can compromise the privacy and/or security of this information.  If, however, the PHI is "unusable, unreadable, or indecipherable", no notification is required.  

A breach is considered discovered when the incident in which there is an impermissible use or disclosure becomes known or should have become known, if the provider was reasonably diligent and had implemented a reasonable system for discovery of breaches.  Knowledge of a breach by a workforce member (employees, volunteers, trainees, and other persons who works for a covered entity regardless of whether they are paid) or other agents, such as certain business associates, are attributed to the covered entity itself.  Thus, health care providers have the responsibility to train workforce members and agents on how to report incidents that may comprise privacy and security of PHI, the importance of doing this promptly, and the consequences of not doing so.   

In the event of a potential breach, covered entities, such as health care providers, need to perform a risk assessment to determine if a breach occurred and to notify the affected individuals, the media, and the government, as appropriate.  Covered entities and business associates have the burden of proof to demonstrate that all required notifications were or that a use or disclosure of unsecured protected health information did not constitute a breach and thus no notifications were required. 
    
Resources:

Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.
About
Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care.  More>
Stay Informed

Register for the HealthIT and Quality Improvement eNewsletter

Comments?
E-mail the HealthIT e-mail box: healthit@hrsa.gov