Definition: The acquisition, access, use or disclosure of PHI which compromises the security of privacy of the PHI.
Under the most recent HIPAA regulations, all HIPAA violations are presumed to be a “breach”. In determining if the violation is truly a breach, the University must conduct a review that looks at:
- The nature and extent of information involved, including the types of identifiers and risk of re-identification
- The identity of the unauthorized person who used the PHI or to whom it was disclosed
- Whether the PHI was actually acquired or viewed
- Extent to which risk to the PHI has been mitigated
The circumstances of the breach will determine the School of Dentistry’s response, but as soon as an employee knows (or could have been expected to have known) about the breach, the clock starts ticking for us to take action.
Take home message: Recognize and report all privacy concerns immediately!