Breach of ePHI Explained: Definition, Examples, and HIPAA Reporting Requirements

Definition of ePHI Breach

What is ePHI?

Electronic protected health information (ePHI) is any individually identifiable health information that a covered entity or business associate creates, receives, maintains, or transmits in electronic form. It includes data in EHR systems, billing platforms, email, imaging systems, backups, and device logs that can identify a patient.

What is a breach?

A breach is the acquisition, access, use, or disclosure of ePHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the information. If an impermissible disclosure occurs, a breach is presumed unless a documented risk assessment shows a low probability that the ePHI has been compromised.

Recognized exceptions

• Unintentional, good-faith access or use by a workforce member within scope of authority without further impermissible use.
• Inadvertent disclosure between authorized persons within the same covered entity or business associate, with no further impermissible use.
• Good-faith belief that the unauthorized recipient could not reasonably retain the information.

Secured vs. unsecured ePHI

ePHI rendered unusable, unreadable, or indecipherable to unauthorized persons through strong encryption standards or proper destruction is considered “secured.” Breach notification under the HIPAA Breach Notification Rule applies to unsecured ePHI. Note that attacker-driven encryption (e.g., ransomware) does not qualify as safe-harbor encryption.

Examples of ePHI Breaches

• Phishing and credential theft: An attacker steals user credentials and queries the EHR, accessing diagnosis and medication data.
• Misdirected communications: ePHI is emailed, faxed, or texted to the wrong recipient without proper safeguards, resulting in an impermissible disclosure.
• Unencrypted device loss: A stolen laptop or phone holding unencrypted ePHI exposes patient demographics and clinical notes.
• Cloud misconfiguration: A storage bucket or database is publicly accessible due to incorrect settings, leaking imaging and claims data.
• Improper disposal: Copiers, hard drives, or USB media are discarded without wiping, revealing lab results and identifiers.
• Vendor compromise: A business associate’s system is breached, exposing ePHI processed under a business associate agreement.
• Insider snooping: A staff member looks up the records of a friend or celebrity without a need to know.
• Ransomware with exfiltration: Malware encrypts servers and copies charts for extortion, increasing compromise risk.

HIPAA Reporting Requirements

When the clock starts

The “date of discovery” is the first day the breach is known—or would have been known with reasonable diligence—by the covered entity or business associate. All deadlines below use calendar days and require action without unreasonable delay.

Individual notification

• Timeline: Without unreasonable delay and no later than 60 days after discovery.
• Method: First-class mail or electronic notice if the individual has agreed; substitute notice if contact info is insufficient.
• Content: A description of what happened, the types of ePHI involved, steps individuals should take, what you are doing to investigate and mitigate, and contact information.

Notice to HHS and the media

• 500 or more individuals affected: Notify the Secretary of HHS within 60 days of discovery. If 500+ residents of a state or jurisdiction are affected, also notify prominent media outlets within 60 days.
• Fewer than 500 individuals: Log the breach and report to HHS no later than 60 days after the end of the calendar year in which it was discovered.

Business associate to covered entity

A business associate must notify the covered entity of a breach without unreasonable delay and no later than 60 days after discovery, and should provide the identities of affected individuals and other information needed for notifications. Many business associate agreements require shorter reporting windows.

Documentation and record retention

Maintain written breach determinations, risk assessments, notifications, and mitigation steps. Thorough documentation supports HIPAA compliance audits and demonstrates due diligence.

Risk Assessment for Breach Notification

Required risk assessment criteria

To rebut the presumption of breach, analyze and document:

• Nature and extent of ePHI: Sensitivity, identifiability, and volume of data exposed (e.g., diagnoses, SSNs, payment details).
• Unauthorized person: Who accessed or received the ePHI and their obligations to protect it (e.g., covered entity vs. unknown actor).
• Whether ePHI was actually acquired or viewed: Logs, DLP alerts, or forensic evidence showing access, copying, or exfiltration.
• Mitigation: Steps taken to reduce risk, such as obtaining satisfactory assurances of destruction or rapid credential revocation.

How to perform a defensible assessment

• Collect system, application, and security logs; preserve forensic images; and establish a clear timeline of events.
• Identify whether robust encryption standards protected the ePHI at rest and in transit at the time of the incident.
• Assess data tampering or integrity loss and the feasibility of re-identification if partial identifiers were exposed.
• Score likelihood and impact, justify conclusions in plain language, and obtain executive sign-off.

Business Associate Obligations

Contractual and regulatory duties

Business associates must implement administrative, physical, and technical safeguards, report breaches to the covered entity, and flow down the same requirements to subcontractors. These obligations are memorialized in a business associate agreement that specifies breach reporting timelines, cooperation on investigations, and allocation of responsibilities.

Effective practices

• Continuously monitor for security incidents and escalate promptly to the covered entity with actionable details.
• Maintain an inventory of systems processing ePHI and ensure subcontractors meet equivalent controls.
• Prepare notification templates and call center plans to accelerate joint breach notification.
• Be prepared for OCR investigations or HIPAA compliance audits following a significant incident.

Ransomware and ePHI

Presumption of breach and today’s threat reality

Modern ransomware often includes data theft (“double extortion”). Because the attacker gains control and may exfiltrate files, the event is generally presumed to be a breach unless a risk assessment shows a low probability of compromise. Attacker-imposed encryption does not satisfy safe-harbor protections.

What to evaluate

• Evidence of exfiltration, staging, or data packaging; unusual outbound connections; and dark web leak-site postings.
• Scope of systems impacted, integrity of backups, and whether ePHI was encrypted to strong standards before the attack.
• Threat actor behavior (time in environment, tools used) and whether ePHI was likely viewed or acquired.

Operational considerations

• Coordinate legal counsel, incident response, and communications to meet breach notification rule timelines.
• Avoid paying ransoms unless legally vetted; prioritize restoration from clean, offline backups and eradication of persistence.
• Implement post-incident hardening: MFA everywhere, EDR, network segmentation, immutable backups, and rapid patching.

Security Incident Response

Core lifecycle

• Preparation: Policies, playbooks, role-based training, tabletop exercises, and vendor contact trees.
• Identification: Monitor alerts, triage quickly, and declare an incident when ePHI may be at risk.
• Containment: Isolate affected systems, rotate credentials, block malicious domains, and preserve evidence.
• Eradication and recovery: Remove malware, rebuild systems from known-good images, validate data integrity, and restore services.
• Notification and communication: Align legal, privacy, and security teams to meet HIPAA timelines and content requirements.
• Lessons learned: Update controls, close gaps, retrain staff, and test improvements.

Controls that reduce breach risk

• Strong encryption standards for data at rest and in transit using validated cryptography and disciplined key management.
• MFA, least privilege, network segmentation, and continuous logging with retention sufficient for investigations.
• Regular vulnerability management, phishing resilience training, and vendor risk management with clear breach terms in the business associate agreement.

Conclusion

A breach of ePHI occurs when impermissible access, use, or disclosure compromises privacy or security. If you cannot demonstrate a low probability of compromise using the required risk assessment criteria, you must notify individuals, HHS, and in some cases the media under the breach notification rule. Strong preventive controls, clear contracts, and a tested response plan are essential to meet HIPAA obligations and protect patients.

FAQs

What constitutes a breach of ePHI?

A breach is any acquisition, access, use, or disclosure of ePHI not permitted by the Privacy Rule that compromises its security or privacy. There are limited exceptions (e.g., certain good‑faith or intra‑organizational disclosures where the information is not further misused), but absent a documented assessment showing a low probability of compromise, an impermissible disclosure is treated as a breach.

How soon must breaches of ePHI be reported under HIPAA?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Breaches affecting 500 or more individuals require notice to HHS within 60 days and, if 500+ residents of a state or jurisdiction are impacted, notice to prominent media within 60 days. Breaches affecting fewer than 500 individuals must be logged and reported to HHS no later than 60 days after the end of the calendar year.

What are the obligations of business associates regarding ePHI breaches?

Business associates must investigate, mitigate, and notify the covered entity of a breach without unreasonable delay and no later than 60 days after discovery, providing details needed for notifications. Their responsibilities are defined in the business associate agreement and include safeguarding ePHI, flowing down requirements to subcontractors, and cooperating during investigations and audits.

How does ransomware affect the reporting of ePHI breaches?

Ransomware typically triggers a presumption of breach because attackers may access or exfiltrate ePHI. Unless your risk assessment shows a low probability of compromise—considering data sensitivity, evidence of viewing or exfiltration, the attacker’s identity, and mitigation—you must follow breach notification rule requirements. Attacker encryption alone does not create safe harbor.