Imagine a clinic has a policy that allows patient data to be released to non-patients but a court decides that the use violates HIPPA. There would be no technical breach of security, but rather a breach of responsibility.