45 CFR 164.402 Explained: HIPAA Breach Definition, Exceptions, and Risk Assessment Factors

Definition of HIPAA Breach

Under 45 CFR 164.402, a “breach” is the acquisition, access, use, or disclosure of unsecured Protected Health Information (PHI) in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the PHI. The rule presumes a breach has occurred unless you can demonstrate a low probability that the PHI has been compromised, based on a documented risk assessment.

Key elements

• Involves PHI that is not allowed to be used or disclosed under the HIPAA Privacy Rule.
• Concerns “unsecured” PHI—information not rendered unusable, unreadable, or indecipherable to unauthorized individuals.
• Triggers breach notification duties unless a low probability of compromise is substantiated.

Unsecured PHI explained

PHI is “unsecured” if it is not protected through approved methods (for example, strong encryption or proper destruction) that make it unusable to an unauthorized recipient. If a device holding ePHI is encrypted and the encryption keys are not compromised, an otherwise unauthorized disclosure typically does not meet the breach definition.

Exceptions to Breach Definition

45 CFR 164.402 identifies three narrow exceptions where an incident is not a breach, even if PHI is involved. Applying these correctly avoids unnecessary notifications and focuses attention on genuine risk.

1) Good Faith Exception

An unintentional acquisition, access, or use of PHI by a workforce member or individual acting under the authority of a Covered Entity or Business Associate, made in good faith and within the scope of authority, is not a breach—so long as the PHI is not further used or disclosed in a manner not permitted by the HIPAA Privacy Rule.

2) Inadvertent, authorized-to-authorized disclosure

An inadvertent disclosure of PHI by a person authorized to access PHI to another authorized person within the same Covered Entity, Business Associate, or organized health care arrangement is not a breach, provided there is no further impermissible use or disclosure.

3) Recipient could not reasonably retain the PHI

A disclosure where you have a good-faith belief the unauthorized recipient could not reasonably have retained the information (for example, a sealed envelope returned unopened or a misdirected message immediately deleted without viewing) is not a breach.

Risk Assessment Criteria

When an incident does not fit an exception, you must evaluate whether there is a low probability that PHI has been compromised. 45 CFR 164.402 requires consideration of at least four factors and documentation of your determination.

The four required factors

1. Nature and extent of PHI involved. Identify the sensitivity of data elements (for example, diagnoses, medications, lab results, SSNs, account numbers) and the likelihood of re-identification.
2. The unauthorized person involved. Assess who used the PHI or to whom it was disclosed (for example, a covered health professional versus an unknown third party) and their ability or intent to misuse it.
3. Whether PHI was actually acquired or viewed. Determine if the information was merely exposed or was truly accessed, downloaded, or read.
4. Extent of Risk Mitigation. Evaluate steps taken to reduce risk—such as immediate retrieval, remote wipe, obtaining a satisfactory confidentiality assurance, or confirming data remained encrypted.

Applying the analysis

• Use contemporaneous evidence (logs, access records, recipient confirmations) to support conclusions.
• Document your rationale for each factor and the overall determination of low probability or breach.
• When uncertainty remains after analysis, treat the incident as a breach and proceed with notification obligations.

Types of Protected Health Information

PHI is individually identifiable health information created or received by a Covered Entity or Business Associate that relates to a person’s health, care, or payment for care. PHI includes electronic PHI (ePHI) and paper/oral PHI. The following direct identifiers are especially relevant to breach risk:

Common identifiers that elevate risk

• Names
• Geographic data smaller than a state (for example, street address, city, ZIP code—subject to limited exceptions)
• All elements of dates (except year) related to an individual (for example, birth date, admission/discharge dates)
• Telephone and fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account and financial numbers
• Certificate/license numbers
• Vehicle identifiers and license plates
• Device identifiers and serial numbers
• Web URLs
• IP addresses
• Biometric identifiers (for example, fingerprints, voiceprints)
• Full-face photographs and comparable images
• Any other unique identifying number, characteristic, or code

The more sensitive the content (for example, behavioral health, HIV status, genetic data) or the more complete the identifier set, the higher the potential impact in the risk assessment.

Roles of Covered Entities and Business Associates

Both Covered Entities and Business Associates share responsibilities under 45 CFR 164.402 and related provisions. Clarifying roles in advance streamlines incident response and supports compliance.

Covered Entities

• Maintain policies and procedures for incident detection, triage, Risk Mitigation, and documentation.
• Perform the 45 CFR 164.402 risk assessment and determine breach status.
• Coordinate breach notifications when required and oversee Business Associate compliance through contracts and oversight.

Business Associates

• Safeguard PHI and promptly report any security incident or potential breach to the Covered Entity.
• Support the Covered Entity with facts needed for the risk assessment (for example, logs, forensic findings).
• Follow Business Associate Agreement (BAA) terms governing uses/disclosures and incident handling.

Shared expectations

• Implement administrative, physical, and technical safeguards proportionate to the sensitivity of PHI.
• Train workforce members on unauthorized disclosure prevention and the Good Faith Exception limits.
• Retain documentation of all assessments, decisions, and notifications for regulatory review.

Mitigation Strategies for Breaches

Effective mitigation reduces harm to individuals and supports a “low probability of compromise” determination when appropriate. Time is critical—act immediately upon discovery.

Immediate containment

• Stop further exposure (recall messages, disable accounts, revoke access, isolate systems).
• Secure or retrieve misdirected PHI; for ePHI, perform remote wipe if feasible.
• Preserve logs and evidence to reconstruct what happened.

Risk reduction measures

• Obtain recipient attestations of non-use/non-disclosure when appropriate.
• Reset credentials, rotate keys, and patch vulnerabilities.
• Offer support to affected individuals, such as credit monitoring when financial identifiers are involved.

Longer-term prevention

• Strengthen encryption at rest and in transit; apply data loss prevention and least-privilege access.
• Revise procedures and training to address human error, phishing, and improper workflows.
• Update BAAs and vendor oversight processes to tighten expectations and reporting timelines.

Compliance and Enforcement Considerations

Accurate application of 45 CFR 164.402 underpins breach notification duties elsewhere in the rule. When a breach is confirmed, Covered Entities must provide notifications without unreasonable delay and no later than 60 calendar days from discovery, with additional requirements for Business Associates and for incidents affecting 500 or more individuals.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) enforces HIPAA through investigations, audits, and resolution agreements. Outcomes range from corrective action plans to tiered civil money penalties based on the nature and extent of the violation and the level of culpability (for example, reasonable cause versus willful neglect).

Strong documentation is your best defense: record the facts, your 45 CFR 164.402 risk assessment across all four factors, mitigation actions taken, final determinations, and any notifications issued. Embedding these expectations in policies, training, and BAAs reduces error and demonstrates a culture of compliance.

Bottom line: Know the breach definition, apply the exceptions narrowly, execute the four-factor analysis rigorously, and mitigate swiftly. Doing so protects individuals, limits organizational exposure, and fulfills HIPAA obligations.

FAQs.

What constitutes a breach under 45 CFR 164.402?

A breach is an impermissible acquisition, access, use, or disclosure of unsecured PHI under the HIPAA Privacy Rule that compromises the privacy or security of the information. Unless you document a low probability of compromise through the required risk assessment, the incident is presumed a breach.

What are the exceptions to HIPAA breach definitions?

There are three: (1) the Good Faith Exception for unintentional, authorized-in-scope access or use without further impermissible disclosure; (2) an inadvertent disclosure between two authorized individuals within the same Covered Entity, Business Associate, or organized arrangement, with no further impermissible use; and (3) disclosures where the unauthorized recipient could not reasonably retain the information.

How is risk assessed after a potential PHI breach?

You must evaluate at least four factors: the nature and extent of PHI involved; who used or received it; whether it was actually acquired or viewed; and the extent of any Risk Mitigation. Your documented analysis supports either a low-probability determination or a breach finding requiring notification.

What actions should covered entities take after a breach?

Immediately contain the incident, secure or retrieve PHI, preserve evidence, and begin the four-factor analysis. Implement mitigation (for example, remote wipe, key rotation, recipient assurances), decide whether a breach occurred, and if so, issue all required notifications within 60 days of discovery while updating policies, training, and vendor controls to prevent recurrence.