An employee at health facility C searched the facility's encrypted Electronic Health Record (EHR) for patient X's medical record using patient X's first and last names. After the Privacy Office conducted an audit trail of the employee's search, it was determined that the employee only accessed patient X's MRN and address. Health facility C is a licensed facility.

1.Was there a privacy breach?

2.Is the breach reportable under California and/or federal regulations? [Please indicate and explain if any regulatory exceptions apply (e.g. HIPAA breach exceptions).]

3.To whom should the breach be reported (if applicable)?

4.What recommendations do you have for the Covered Entity as a result of the potential breach (e.g. internal policies, employee sanctions, etc.)?