A breach is any acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment.
Individuals must be informed in the Notice of Privacy Practices distributed to patients that they have the right to receive notification in case of a breach of their unsecured PHI.