HIPAA Breach Definition: What It Is and What Counts Under the Privacy Rule

Definition of a HIPAA Breach

A HIPAA breach is the acquisition, access, use, or disclosure of Protected Health Information (PHI) in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. In plain terms, if PHI is handled in a way that violates Privacy Rule compliance and could harm confidentiality, it is a breach.

PHI includes individually identifiable health information in any form—electronic, paper, or oral. The rules apply to each Covered Entity (such as health plans, most providers, and clearinghouses) and to every Business Associate that creates, receives, maintains, or transmits PHI on a covered entity’s behalf.

While the Breach Notification Rule focuses on incidents involving Unsecured PHI, you should still investigate any impermissible use or disclosure. Examples include emailing patient lists to the wrong recipient, lost unencrypted laptops containing ePHI, or disclosing diagnoses beyond the minimum necessary.

Presumption of Breach

Under HIPAA, any impermissible use or disclosure of PHI is presumed to be a breach. You may overcome this presumption only if you document, through a Risk Assessment, that there is a low probability that the PHI has been compromised.

The burden of proof rests with the Covered Entity or Business Associate. You must retain documentation showing what happened, the analysis performed, and why you concluded the probability of compromise is low or that an exception applies.

Risk Assessment Factors

Your Risk Assessment must be thorough, fact-specific, and documented. HIPAA identifies four core factors you must evaluate to determine the probability that PHI was compromised:

• Nature and extent of PHI involved: Consider the types of identifiers (e.g., names, SSNs, diagnoses, medication lists) and the sensitivity of the information, including the likelihood of re-identification.
• Unauthorized person: Assess who used or received the PHI. Risk is typically lower if the recipient is another Covered Entity or Business Associate bound by HIPAA, and higher if it is an unknown individual.
• Whether PHI was actually acquired or viewed: Determine if the data was merely exposed or was opened, downloaded, or otherwise accessed.
• Extent of mitigation: Evaluate steps taken to reduce risk, such as obtaining satisfactory assurances, retrieving data, resetting credentials, or confirming deletion without retention.

You may consider additional, relevant factors where appropriate. Conclude with a reasoned determination—supported by evidence—that the probability of compromise is low, or proceed with breach notifications.

Exceptions to Breach Definition

HIPAA recognizes three narrow exceptions where an impermissible use or disclosure does not constitute a breach:

• Unintentional access, acquisition, or use by a workforce member or person acting under the authority of a Covered Entity or Business Associate, in good faith and within scope of authority, with no further impermissible use or disclosure.
• Inadvertent disclosure from one authorized person to another authorized person within the same Covered Entity, Business Associate, or organized health care arrangement, with no further impermissible use or disclosure.
• Good-faith belief that the unauthorized recipient could not reasonably have retained the information (for example, a sealed envelope returned unopened or a misdirected email immediately rejected and not accessible).

These exceptions are fact-specific and must be documented. If none applies and the Risk Assessment does not support a low probability of compromise, treat the incident as a breach.

Breach Notification Requirements

Who must notify

Covered Entities must notify affected individuals, the U.S. Department of Health and Human Services (HHS), and, for large incidents, prominent media outlets in the affected state or jurisdiction. Business Associates must notify the Covered Entity without unreasonable delay, including the identities of affected individuals when known.

Timelines and discovery

Notification must occur without unreasonable delay and in no case later than 60 calendar days after discovery. “Discovery” is the date the breach is known—or by exercising reasonable diligence would have been known—to the organization. Business Associates follow the same 60-day outer limit when notifying the Covered Entity.

Individual notice content

• A brief description of what happened, including the date of the breach and the date of discovery, if known.
• The types of PHI involved (e.g., name, date of birth, diagnosis, account number).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• Contact information for questions (toll-free number, email, or postal address).

How to notify

Provide written notice by first-class mail or by email if the individual has agreed to electronic notice. If contact information is insufficient or out of date for 10 or more individuals, you must provide substitute notice (e.g., a conspicuous website posting or media notice) for at least 90 days and include a toll-free number.

Notifying HHS and the media

• 500 or more individuals: Notify HHS contemporaneously with individual notices and no later than 60 calendar days after discovery, and notify prominent media in the affected state or jurisdiction.
• Fewer than 500 individuals: Log the breach and submit to HHS no later than 60 days after the end of the calendar year in which it occurred.

Law enforcement delay

If a law enforcement official states that a notification would impede a criminal investigation or threaten national security, you may delay notice for the time and manner specified by the official.

Secured PHI

The Breach Notification Rule applies to Unsecured PHI. PHI is considered “secured” when rendered unusable, unreadable, or indecipherable to unauthorized individuals through technologies and methodologies recognized by federal guidance, such as strong encryption or proper destruction.

• Encryption: Robust, standards-based encryption for data at rest and in transit, with keys stored separately. Password protection alone is not sufficient.
• Destruction: Shredding, pulping, burning, or degaussing media so PHI cannot be reconstructed.

If a device containing encrypted PHI is lost but the encryption keys were not compromised, the incident typically does not trigger breach notification because it does not involve Unsecured PHI. Always verify key management and access logs as part of your Risk Assessment.

Breach Notification Rule Applicability

The Breach Notification Rule applies to Covered Entities and Business Associates for breaches involving Unsecured PHI in any form—electronic, paper, or oral. It does not apply to de-identified data or to uses and disclosures permitted by the Privacy Rule.

Permissible disclosures (for treatment, payment, health care operations, and other authorized purposes) are not breaches. However, Security Rule incidents, such as malware or ransomware, may still lead to a breach if PHI was compromised; you must conduct and document a Risk Assessment in every such event.

State data-breach laws may add stricter or additional obligations. When state law is more stringent, you must comply with both HIPAA and applicable state requirements. Maintain written policies, workforce training, Business Associate Agreements, and incident response plans to support Privacy Rule compliance and timely notifications.

Conclusion

In practice, treat every impermissible use or disclosure of PHI as a presumed breach, perform and document a rigorous Risk Assessment, apply the narrow HIPAA exceptions carefully, and notify as required when Unsecured PHI is involved. Strong encryption, sound mitigation, and disciplined documentation are your best safeguards for compliance.

FAQs

What constitutes a HIPAA breach?

A HIPAA breach is an impermissible acquisition, access, use, or disclosure of PHI that compromises its security or privacy. Unless a narrow exception applies or a documented Risk Assessment shows a low probability of compromise, you must treat the incident as a breach.

How is the risk assessment for a breach conducted?

You evaluate four required factors: the nature and extent of PHI involved, the unauthorized person, whether the PHI was actually acquired or viewed, and the extent of mitigation. Document your evidence and reasoning, and conclude whether the probability of compromise is low.

When are breach notifications required?

Notifications are required for breaches of Unsecured PHI. Covered Entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery, notify HHS (timing depends on breach size), and notify the media for incidents affecting 500 or more residents of a state or jurisdiction. Business Associates must notify the Covered Entity within the same 60-day outer limit.

What are the exceptions to the HIPAA breach definition?

Three exceptions apply: good-faith, unintentional access or use by an authorized workforce member within scope; inadvertent disclosure between authorized persons within the same entity or organized arrangement; and disclosures where the recipient could not reasonably retain the information. If none apply and risk is not low, treat the event as a breach.