Health and Human Services Breach (HHS Breach)

Date of Publication:

3/13/2019

Definition:

A breach as defined in Section 164.402 of the HIPAA Breach Rule. The text of that HHS definition states:

Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under subpart E of this part [i.e. the HIPAA Privacy Rule] which compromises the security or privacy of the PHI. HHS breach excludes: Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a DOD covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the HIPAA Privacy Rule. Any inadvertent disclosure by a person who is authorized to access PHI at a DOD covered entity or business associate to another person authorized to access PHI at the same DOD covered entity or business associate, or organized health care arrangement in which the DOD covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted the HIPAA Privacy Rule. A disclosure of PHI where a DOD covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. Except as provided in this definition, an acquisition, access, use, or disclosure of PHI in a manner not permitted under this issuance is presumed to be a breach unless the DOD covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; The unauthorized person who used the PHI or to whom the disclosure was made; Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated.