Question: An employee at our ophthalmology practice accessed records for no legitimate reason. He didn’t tell anyone outside our office about any of the information he accessed. Is this still a reportable breach incident, even though the information didn’t leave our office? New Hampshire Subscriber Answer: To find the answer, you must go back to the definition of a breach — an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI). In this situation, somebody looked at the information who wasn’t supposed to look at the information. That would be an impermissible use. Having an employee access information that he has no need to violates the “minimum necessary” standard of the privacy rule, which allows only employees who have need to access private data. So that would be a reportable breach, even though the information didn’t leave your office — it was a breach within your office. Consider checking with a healthcare attorney to determine if you should only report this to your compliance officer or to any authority outside the practice.