In This Article
What is a Breach Under HIPAA?
A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI.
Breach = Impermissible use or disclosure of PHI that compromises security or privacy
Unsecured PHI = PHI not rendered unusable, unreadable, or indecipherable through encryption or destruction
Presumption = An impermissible use/disclosure is presumed to be a breach unless you demonstrate low probability of compromise
The Breach Presumption
Since the 2013 Omnibus Rule, HIPAA presumes that any impermissible use or disclosure of unsecured PHI is a breach. The burden is on the covered entity or business associate to demonstrate through a risk assessment that there's a low probability the PHI was compromised.
The Breach Risk Assessment
When an impermissible use or disclosure occurs, you must conduct a risk assessment considering at least four factors:
Factor 1: Nature and Extent of PHI Involved
Consider:
- What types of identifiers were included?
- What was the sensitivity (e.g., HIV status, mental health, SSN)?
- How much PHI was involved?
- Could the information be used for identity theft?
Factor 2: Unauthorized Person Who Used/Received PHI
Consider:
- Who received or accessed the PHI?
- Did they have independent HIPAA obligations (e.g., another covered entity)?
- Is the recipient likely to misuse the information?
Factor 3: Whether PHI Was Actually Acquired or Viewed
Consider:
- Was the PHI actually viewed or only potentially exposed?
- Is there evidence of access (logs, forensics)?
- Was it an encrypted laptop that was lost but not accessed?
Factor 4: Extent to Which Risk Has Been Mitigated
Consider:
- Did you recover the PHI or obtain assurances of destruction?
- Was a confidentiality agreement signed?
- What steps were taken to reduce the risk?
Risk Assessment Outcomes
| Outcome | Action Required |
|---|---|
| Low probability of compromise | No breach notification required (document your assessment) |
| Cannot determine low probability | Treat as a breach; notify as required |
| PHI was encrypted | Not a breach of "unsecured PHI" (safe harbor) |
Exceptions to Breach Definition
Three situations are excluded from the breach definition:
Exception 1: Unintentional Access by Workforce
Unintentional acquisition, access, or use of PHI by a workforce member acting in good faith within their scope of authority, if the information is not further used or disclosed improperly.
Example: A nurse accidentally opens the wrong patient's chart but immediately closes it without using the information.
Exception 2: Inadvertent Disclosure Between Authorized Persons
Inadvertent disclosure from one authorized person to another authorized person within the same covered entity or business associate (or organized healthcare arrangement), if the information is not further used or disclosed improperly.
Example: A doctor sends lab results to the wrong provider in the same hospital system who is also authorized to access PHI.
Exception 3: Good Faith Belief of No Retention
Disclosure where the covered entity has a good faith belief that the unauthorized person who received the PHI would not reasonably have been able to retain it.
Example: An email with PHI is sent to the wrong person but recalled before being opened.
Notification Timelines
Covered Entity Obligations
| Notification | Timeline | Details |
|---|---|---|
| Individuals | Within 60 days of discovery | Without unreasonable delay; 60 days is maximum, not target |
| HHS (500+ individuals) | Within 60 days of discovery | Submit via HHS breach portal |
| HHS (<500 individuals) | Within 60 days of year end | Can batch report smaller breaches annually |
| Media (500+ in state) | Within 60 days of discovery | Prominent media outlets in affected state(s) |
Business Associate Obligations
Business associates must notify the covered entity of any breach:
- Timeline: Without unreasonable delay, no later than 60 days from discovery
- Note: BAAs often specify shorter timelines (24-72 hours)
- Content: Include identification of individuals affected and other information for CE to fulfill notification requirements
When is a Breach "Discovered"?
A breach is discovered when:
- The covered entity or business associate first knows about it, OR
- By exercising reasonable diligence, would have known about it
This applies to any employee, agent, or other person (except the one who committed the breach). You can't avoid the timeline by not investigating.
Breach occurs on January 1. IT discovers it on January 15. The 60-day clock starts January 15, making March 16 the deadline for individual and HHS notification (for large breaches).
Who Must Be Notified?
Affected Individuals
- Written notification by first-class mail (or email if agreed)
- If 10+ individuals have outdated contact info, substitute notice required
- Substitute notice: conspicuous website posting or major media
- For urgent situations, may supplement with phone
HHS Office for Civil Rights
- Submit via the HHS Breach Portal
- Large breaches (500+): posted on the "Wall of Shame" public database
- Small breaches: submitted in aggregate within 60 days of year end
Media
- Required only for breaches affecting 500+ residents of a state
- Notify prominent media outlets serving that state
- Content similar to individual notification
Notification Content Requirements
Individual Notification Must Include
- Brief description of what happened, including date of breach and discovery
- Types of unsecured PHI involved (e.g., names, SSN, diagnosis)
- Steps individuals should take to protect themselves
- What the covered entity is doing to investigate, mitigate, and prevent future breaches
- Contact procedures for questions (toll-free number, email, postal address)
HHS Notification Must Include
- Number of individuals affected
- Type of PHI involved
- Description of breach
- Safeguards in place at time of breach
- Actions taken in response
Documentation Requirements
You must document and retain records of:
- All breach risk assessments (even for incidents determined not to be breaches)
- All notifications sent
- Investigation findings
- Remediation actions
- Policy and procedure updates resulting from breach
Retain documentation for at least 6 years.
The breach notification rule creates real consequences for security failures. Large breaches end up on HHS's public "Wall of Shame," creating reputational risk beyond the regulatory penalties. Preventing breaches through strong security controls is far better than navigating notification requirements afterward.