Footnote
The exceptions relate to (i) unintentional, good-faith access, acquisition or use by members of the covered entity’s or business associate’s workforce, (ii) inadvertent disclosure limited to persons with authorized access and not resulting in further unpermitted use or disclosure, and (iii) good-faith belief that the unauthorized recipient would be unable to retain the PHI.