Data Breach Notification

What is a Breach?

According to 45 CFR 164.402, a "breach" is defined as follows:

"An acquisition, access, use, or discloure of protected health inforamtion (PHI) in a manner not permitted under subpart E is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the (PHI) involved, including the types of identifiers and the likelihood of re-identification;'
  2. The unauthorized person who used the (PHI) or to whom the disclosure was made;
  3. Whether the (PHI) was actually acquired or viewed; and
  4. The extent to which the risk to the (PHI) has been mitigated.

Separate Federal and State laws and regulations define breach notification requirements associated with unauthorized use or disclosure of Protected Health Information (PHI) or Personal Information. The VUMC Privacy Office coordiantes compliance with the required notification steps and prepares the necessary notification and reporting documents. Each event that involves breach of individually identifiable PHI or Personal Information must be evaluated as defined by VUMC policy for application of the applicable regulatory notification requirements.

IM 10-30.02: Breach Notification: Unauthorized Access, Use, or Disclosure of Individually Identifiable Patient or Other Personal Information

Key Definitions:

Protected Health Information (PHI): is individually identifiable health information that is transmitted or maintained in any form or medium by a health care provider, health plan, or health care clearinghouse.

Personal Information: is an individual's first name or first initial and last name, in combination with any one or more of the following: social security number; drivers license number; or account number, credit or debit card number, in combination with any required security code, access code or password.

Breach of PHI: is defined by federal law and regulation to mean the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule of HIPAA which poses a significant risk of financial, reputational, or other harm to the individual.

Computerized Data Security Breach of Personal Information: is defined by Tennessee State law to mean unauthorized acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of Personal Information.

Questions related to whether or not breach notification is required should be referred to the Privacy Office at (615) 936-3594 or