The Health Insurance Portability & Accountability Act & HITECH Acts (HIPAA) and implementing regulations require Covered Entities and their Business Associates to investigate and mitigate any security or other incidents that involve potential unauthorized access of Protected Health Information (PHI) as that terms is defined by HIPAA. Except in very limited instances, any unauthorized access to a Covered Entity’s PHI constitutes a breach. Breaches that impact fewer than 500 individuals must be reported to impacted individuals within 60 days of discovery and reported on an annual basis to HHS. Breaches that impact 500 or more individuals must be reported to HHS, the media and the impacted individuals within 60 days of discovery.
In compliance with this requirement, System has adopted a Breach Notification Policy that describes how System will comply with its Breach notification duties under HIPAA in addition to its duties to comply with state privacy breach notification laws. This policy, INT 165, located in The University of Texas System Policy Library at www.utsystem.edu/board-of-regents/policy-library  is incorporated by reference and made a part of this Manual for all purposes.
Records of all required documentation of compliance with this policy, including breach logs for breaches involving less than 500 individuals, shall be maintained by the Privacy Officer. A form for recording such breaches is attached to the Manual.
45 C.F.R. Part 164, Subpart D