A breach is generally an impermissible use or disclosure that compromises the security and privacy of private health information. Impermissible use of unsecured PHI is presumed to be a breach unless the entity demonstrates that there is a low probability that the PHI has been compromised. When a breach occurs, the Breach Notification Rule requires notification to affected individuals, the Secretary of Human and Health Services, and in some cases, the media. 

Entities must notify when there is a loss of information, theft, or certain other impermissible uses, in particular, health care providers must promptly notify HHS if there is any breach that affects more than 500 or more individuals, and they must notify the media if the breach affects more than 500 residents of a state or jurisdiction. If the breach affects fewer than 500 individuals, the entity must notify HHS no later than 60 days after the end of the calendar year in which the breach occurred. 

Significant breaches are investigated and penalties may be imposed. Breaches of more than 500 patients are publicly reported. If a risk assessment demonstrates there is a low probability that the use or disclosure compromised unsecured PHI, then breach notification is not necessary. (Please note that this breach-related risk assessment is different from the periodic risk analysis required by the Security Rule.)