In general, the term “breach” means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
But there are exceptions. A breach does not include unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate under the following conditions:
• If the acquisition, access or use was made in good faith;
• It was within the course and scope or other professional relationship of such employee or individual, with the covered entity or business associate; and
• The information is not further acquired, accessed, used or disclosed by any person.
HIPAA also forgives inadvertent disclosure from an individual who is otherwise authorized to access protected health information to another similarly situated individual at the same facility, as long as the information is not further acquired, accessed, used or disclosed without authorization.