Question: One of our employees accessed records without a legitimate reason. Is this still a reportable breach incident, even though he didn’t tell anyone about any of the information he accessed? Ohio Subscriber Answer: To determine the answer, go back to the definition of a breach: any acquisition, access, use, or disclosure in violation of the HIPAA Privacy Rule, says Jim Sheldon-Dean, founder and director of compliance for Lewis Creek Systems LLC in Charlotte, Vermont. In this situation, “somebody looked at the information who wasn’t supposed to look at the information,” Sheldon-Dean notes. That would be an “access” or a “use” of the patient’s data. Reminder: But in the HIPAA Privacy Rule, “minimum necessary” requirements dictate that an employee should access only the information that is needed to perform the tasks in their jobs. A person accessing information that they should not violates the minimum necessary requirements, Sheldon-Dean explains. “So that would be a reportable breach even though the information didn’t leave your facility — it was a breach within your facility.”