Breach Notification FAQs

Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA which compromises the security or privacy of the PHI.

Under HITECH, any impermissible acquisition, access, use, or disclosure is presumed to be a breach unless the covered entity demonstrates that there is a low probability that the PHI has been compromised, based on a risk assessment of at least the following factors:

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the PHI or to whom the disclosure was made;
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated.

There are certain exceptions that may be considered when determining whether a reportable breach has occurred. 

Responsibility for determining whether a breach has occurred under HIPAA rests with the University's Privacy Officer; therefore, it is important that all unintended use or disclosures or unauthorized uses or disclosures of PHI or personal information are immediately reported to the Privacy Office. 

HIPAA Privacy Guidance AR-16 (log-in required) provides additional information on suspected breaches and responses to them.

It is important to immediately contact the clinic/facility supervisor or the UofL Privacy Office if a breach is suspected. There is a very limited time frame for responding to breach incidents, so it is important that the covered entity is able to begin work quickly.

The UofL Privacy Office can be reached at 502-852-3803 or via email at privacy(@)