The US Dept. of Health & Human Services requires that providers and facilities covered by HIPAA notify individuals when their health information is “breached”. If there is significant risk of financial, reputational, or other harm to the affected individual as a result of unauthorized use or disclosure of unsecured PHI (protected health information), then breach notification to the patient and governmental agencies is required.
Unintentional or inadvertent disclosure are exceptions. UHS will do regular audits to identify unauthorized use, and will screen “high profile” cases such as those with media coverage. It is also against UHS policy to access your own or your family member’s information. Warning letters will be sent to physicians and their staff for the first offense with progressive disciplinary action taken thereafter.