Report a Possible HIPAA Breach

If you believe HIPAA data (PHI) may have been accessed, used or disclosed by someone who is not authorized to do so, it is your responsibility to report the possible breach. Once you report the HIPAA Privacy and Security officers will be able to evaluate the situation and determine whether the situation qualifies as a breach.

Examples of events that need to be reported as possible breaches:

  • HIPAA workforce member account compromise (e.g., staff report they received an unexpected Duo prompt)
  • Stolen unencrypted laptop containing PHI
  • Lost paper medical records
  • CDs containing images from medical records improperly disposed of, e.g., in trash rather than being shredded
  • Hacking, phishing that places a malware infection on your computer/network
  • Unauthorized use or access by a Business Associate
  • PHI mailed, emailed, faxed or handed to the wrong person

How to report:

HIPAA workforce members should notify their supervisor and/or HIPAA Component Contact.  The HIPAA Contact then reports to IT Help Center ( or the HIPAA Officers (

BU prohibits retaliation for reporting security concerns, security incidents, and potential breaches