Uses and Disclosures of PHI permitted or required by the Privacy Rule are the subject of both the Security and Breach Notification Rules. The Security Rule requires Covered Entities and Business Associates to protect against Uses and Disclosures of PHI not permitted or required by the Privacy Rule that is transmitted by Electronic Media or maintained in Electronic Media.
The Breach Notification Rule defines “Breach” as the Acquisition, Access, Use or Disclosure of PHI in a manner not permitted by the Privacy Rule which compromises the Security or Privacy of the PHI.