Breach Notification FAQs

Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA which compromises the security or privacy of the PHI.

Under HITECH, any impermissible acquisition, access, use, or disclosure is presumed to be a breach unless the covered entity demonstrates that there is a low probability that the PHI has been compromised, based on a risk assessment of at least the following factors:

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the PHI or to whom the disclosure was made;
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated.

There are certain exceptions that may be considered when determining whether a reportable breach has occurred. 

Responsibility for determining whether a breach has occurred under HIPAA rests with the University's Privacy Officer; therefore, it is important that all unintended use or disclosures or unauthorized uses or disclosures of PHI or personal information are immediately reported to the Privacy Office. 

Please refer to the UofL Privacy Office HIPAA Policy Manual, PO-18 Breach Response & Notification, (log-in required) for additional information and University-specific procedures for investigation and reporting of breaches.  

It is important to immediately contact the clinic/facility supervisor, the UofL Privacy Office, or the UofL Information Security Office if a breach is suspected. There is a very limited time frame for responding to breach incidents, so it is important that we are to begin work quickly to investigate the incident.

The UofL Privacy Office can be reached at 502-852-3803 or via email at privacy(@)  The UofL Information Security Office can be reached at