: when someone who does not have the authorization to access to protected health information
(PHI). There are a few exceptions: if the PHI is shared between two people who are employed at the HIPAA-covered entity and/or business associate
, if a person who works at the HIPAA- covered entity
and/or business associate accidentally gains access to the PHI, or if the information is obsolete by the time the unauthorized person gains access to it.