Covered entities and business associates are required to identify and report breaches of unsecured protected health information (“PHI”) and security incidents. “Breach” is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Laws which compromises the security or privacy of the PHI, and is not one of the breach exclusions.1 Breach applies to both paper and electronic PHI. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of electronic PHI (“EPHI”) or interference with the entity’s system operations in its information system.2 The Federal Office for Civil Rights (“OCR”) has recommended that covered entities and business associates have incident response teams capable of identifying and handling breaches and security incidents.3 Incident response plans and policies should be developed, reviewed annually, and approved by management….hipaaincidentresponseteam