Associate demonstrates that there is a low probability that the PHI has been compromised. A breach shall not include: 1 . Any unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of Covered Entity or the Business Associate, if such acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rules: or 2. Any inadvertent disclosure by a person who is authorized to access PHI at Covered Entity or Business Associate to another person authorized to access Protected Health Information at Covered Entity or Business Associate respectively, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule; or 3. A disclosure of PHI where Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. "Business Associate" means with respect to a Covered Entity, a person who: 1. On behalf of such Covered Entity, but other than in the capacity of a member of the workforce of such Covered Entity creates, receives, maintains or transmits PHI for a function or activity involving the use or disclosure of Personally Identifiable Health Information, including claims processing or administration, data analysis, data storage, utilization review, quality assurance, billing, benefit management, practice management, and repricing: or 2. Provides, other than in the capacity of a member of the workforce of such Covered Entity, legal, actuarial, accounting, consulting, data aggregation management, administrative, accreditation or financial services to or for Covered Entity where the provision of the service involves the disclosure of PHI from such Covered Entity to the person. A Covered Entity may be the Business Associate of another Covered Entity