Report a Possible HIPAA Breach

If you believe HIPAA data (PHI) may have been accessed, used or disclosed by someone who is not authorized to do so, it is your responsibility to report the possible breach. Once you report the HIPAA Privacy and Security officers will be able to evaluate the situation and determine whether the situation qualifies as a breach.

Examples of events that need to be reported as possible breaches:

  • HIPAA workforce member account compromise (e.g., staff report they received an unexpected Duo prompt)
  • Stolen unencrypted laptop containing PHI
  • Lost paper medical records
  • CDs containing images from medical records improperly disposed of, e.g., in trash rather than being shredded
  • Hacking, phishing that places a malware infection on your computer/network
  • Unauthorized use or access by a Business Associate
  • PHI mailed, emailed, faxed or handed to the wrong person

How to report:

Send an email to BU’s Incident Response Team (IRT):
IRT will triage the report and contact the appropriate persons and offices

If you forget the email address, report to the principal investigator, the IRB, or

BU prohibits retaliation for reporting security concerns, security incidents, and potential breaches