A breach is any acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule, unless the covered entity or business associate demonstrates that there is a low probability that the [PHI] has been compromised based on a risk assessment.
Individuals must be informed in the Notice of Privacy Practices that is distributed to patients, that they have the right to receive notification in the event of a breach of their unsecured PHI.