Data if inappropriately handled may result in criminal or civil penalties, identity theft, personal financial loss, invasion of privacy, or unauthorized access by an individual or many individuals (e.g., student loan information, social security number, driver’s license number, passport or Visa number, state ID card number and protected health information ).

A statement that a situation is unsatisfactory or unacceptable; An allegation of wrongdoing against an individual or organization.

The unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed, would not reasonably have been able to retain such information. An impermissible use or disclosure is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.

The ability or the means necessary to read, write, modify, or communicate data/information or otherwise make use of any system resource.

FAQs Archive

Q: May a covered entity hire a business associate to dispose of protected health information?

Yes, a covered entity may, but is not required to, hire a business associate to appropriately dispose of protected health information ( PHI ) on its behalf. In doing so, the covered entity must enter into a contract or other agreement with the business associate that requires the business associate, among other things, to appropriately safeguard the PHI through disposal. See 45 CFR 164.308(b) , 164.314(a) , 164.502(e) , and 164.504(e) . Thus, for example, a covered entity may hire an outside vendor to pick up PHI in paper records or on electronic media from its premises, shred, burn, pulp, or pulverize the PHI , or purge or destroy the electronic media, and deposit the deconstructed material in a landfill or other appropriate area.

Q: Business Associate Agreement (BAA)

A written contract between a covered entity and a business associate (BA) that establishes the permitted and required uses and disclosures of protected health information by the BA; requires the BA to implement appropriate safeguards to prevent unauthorized use or disclosure; requires BA to report to covered entity any uses and disclosures not provided for in the contract; to the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule , requires the business associate to comply with the requirements applicable to the obligation; requires BA to ensure any subcontractors agree to the same restrictions. See our HIPAA Business Associate Agreement Template .

Q: Amendment and Correction

An amendment to a record would indicate that the data is in dispute while retaining the original information. A correction to a record alters or replaces the original record.