45 C.F.R. § 164.402

Definitions

Read at: eCFRecfr.gov CornellLII GovInfogovinfo.gov CasesGoogle Scholar

As used in this subpart, the following terms have the following meanings:

Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.

(1) Breach excludes:

(i) Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part.

(ii) Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of this part.

(iii) A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

(2) Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.

Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5.

[78 FR 5695, Jan. 25, 2013]
Notes of Decisions
Cited in 10 cases (6 in the last 5 years), 2019–2024 · leading case: D.L. v. Sheppard Pratt Health Sys., 465 Md. 339 (Md. 2019).
D.L. v. Sheppard Pratt Health Sys., 465 Md. 339 (Md. 2019). “See 45 CFR §§ 164.402 , 404. Additionally, any non- permitted access to information protected under HIPAA carries criminal penalties.”
Jacqmin v. Savilinx (Me. Super. Ct 2022). · cites it 4× “45 C.F.R. § 164.402 (2013) (emphasis added).”
Ciox Health, LLC v. Hargan (D.D.C. 2020). · cites it 2× “7 HHS concedes that, pursuant to 45 C.F.R. § 164.402 (c)(1), it can take enforcement action against a covered entity if its business associate charges in excess of the Patient Rate.”
D.L. v. Sheppard Pratt Health Sys. (Md. 2019). “See 45 CFR §§ 164.402 , 404. Additionally, any non- permitted access to information protected under HIPAA carries criminal penalties.”
D.L. v. Sheppard Pratt Health Sys. (Md. 2019). “See 45 CFR §§ 164.402 , 404. Additionally, any non- permitted access to information protected under HIPAA carries criminal penalties.”
Centene Corp. v. Accellion, Inc. (Del. Ch. 2022). “45 C.F.R. § 164.402 . A “Security Incident” is defined as the 6 Like the License Agreement, the BAA contains an indemnification provision, albeit one where Accellion accepts more liability.”
Centene Corp. v. Accellion, Inc. (Del. Ch. 2022). “45 C.F.R. § 164.402 . A “Security Incident” is defined as the 6 Like the License Agreement, the BAA contains an indemnification provision, albeit one where Accellion accepts more liability.”
Ramirez v. DVA (Fed. Cir. 2024). “45 C.F.R. §§ 164.402 , 404. Thus, whether Mr.”
Owen-Brooks v. DISH Network Corp. (D. Colo. 2024). “, and regulations promulgated thereunder in 45 C.F.R. § 164.402 , as well as Section 5 of the Federal Trade Commission Act (the “FTC” Act) proceed.”
Owen-Brooks v. DISH Network Corp. (D. Colo. 2024). “402 , as well as Section 5 of the Federal Trade Commission Act (the “FTC” Act) and the FTC’s publications providing cyber-security guidelines to businesses, set the standard of care for Defendant’s possession and protection of Plaintiffs’ personal information.”
Annotations are extracted automatically from the opinions in the Syfert caselaw corpus and ranked by authority, recency, and treatment. Dots show Syfertize treatment of the citing case itself.