Incident Response & Operations
Breach (HIPAA)
An impermissible use or disclosure of unsecured PHI that compromises its security or privacy.
Under HIPAA, a breach is an impermissible use or disclosure of unsecured protected health information (PHI) that compromises its security or privacy. Such a disclosure is presumed to be a breach unless a risk assessment shows a low probability that the PHI was compromised.
Confirmed breaches trigger the Breach Notification Rule. Notably, properly encrypted PHI is considered "secured" and its exposure generally does not count as a reportable breach.