HIPAA Breach Definition: What It Is, Exceptions, and Examples

This guide unpacks the HIPAA Breach Definition so you can quickly determine what qualifies as a breach, when exceptions apply, and how to recognize real-world scenarios. You will learn how the Privacy Rule frames impermissible use or unauthorized disclosure of Protected Health Information (PHI) and what that means for any Covered Entity or Business Associate.

Definition of HIPAA Breach

Under the Privacy Rule, a breach is an impermissible use or unauthorized disclosure of PHI that compromises the security or privacy of that information. For HIPAA purposes, the Breach Notification Rule applies to incidents involving unsecured PHI, and there is a presumption of breach unless you can demonstrate a low probability that PHI has been compromised.

Who is in scope

The standard applies to any Covered Entity (such as providers, health plans, and clearinghouses) and any Business Associate that handles PHI on a covered entity’s behalf. Your incident response obligations flow from your role and contracts, but the breach analysis uses the same core principles.

Risk assessment factors

To rebut the presumption of breach, you must conduct and document a fact-specific assessment considering:

• The nature and extent of PHI involved (identifiers, sensitivity, and likelihood of re-identification).
• The unauthorized person who used or received the PHI and their obligations to protect it.
• Whether the PHI was actually acquired or viewed.
• The extent to which risks were mitigated (for example, prompt retrieval or secure deletion).

If PHI is appropriately secured (for example, through strong encryption) before an incident, the event typically is not a reportable breach because the PHI is not “unsecured.”

Exceptions to HIPAA Breach

HIPAA recognizes three narrow exceptions—often grouped under a Good Faith Exception framework—that mean certain incidents are not breaches. These are: unintentional access by an authorized workforce member acting in good faith and within scope; inadvertent disclosure between two authorized persons within the same organization (or organized arrangement); and disclosures where you have a good faith belief the unauthorized recipient could not reasonably have retained the information.

Each exception is fact-bound. You should still log the event, analyze it, and document why the exception applies, including any mitigation you performed.

Unintentional Access

This exception covers an unintentional acquisition, access, or use of PHI by a workforce member of a Covered Entity or Business Associate when done in good faith and within the person’s scope of authority. The key is that the access is accidental, promptly corrected, and does not lead to further impermissible use or disclosure.

What it looks like

• A nurse opens the wrong patient chart, realizes the mistake immediately, closes it, and reports the incident.
• A billing specialist briefly views an unrelated account due to an auto-complete error, then stops and notifies compliance.

How to handle it

• Confirm the workforce member was authorized to access PHI generally and acted within scope.
• Verify no further use or disclosure occurred and that viewing was momentary or incidental.
• Document the facts, user intent, and mitigation steps; reinforce least-necessary-access practices.

Inadvertent Disclosure

This exception applies when an authorized person discloses PHI inadvertently to another authorized person within the same Covered Entity, Business Associate, or organized health care arrangement, and the recipient is permitted to access PHI. The disclosure must remain internal among authorized individuals.

What it looks like

• Sending a handoff note with limited PHI to the wrong on-call clinician in the same unit, both of whom are authorized to access PHI.
• Misdirecting a secure message to a colleague on the same care team, then promptly correcting it.

How to handle it

• Verify both sender and recipient are authorized for PHI within your organization or arrangement.
• Contain the disclosure, confirm it was not forwarded, and remove or correct the message.
• Record the event and apply targeted training to prevent recurrence.

Good Faith Belief of No Retention

This exception applies when PHI is disclosed to an unauthorized person but you have a good faith belief that the recipient could not reasonably have retained the information. Your analysis should focus on the likelihood any PHI was captured, copied, or saved.

What it looks like

• A discharge summary is handed to the wrong patient but retrieved immediately before the individual could review it.
• A fax with minimal PHI is sent to the wrong secure office device; the recipient confirms immediate shredding without copying.
• An email with limited PHI is opened, the recipient reports the error at once, and permanently deletes it without forwarding or download.

How to handle it

• Gather credible evidence of non-retention (e.g., prompt return, deletion confirmation, unopened mail).
• Assess whether any PHI was likely viewed or stored; if uncertain, treat conservatively.
• Document your good faith basis and mitigation steps.

Examples of HIPAA Breach

Below are common scenarios that typically constitute a breach because they involve impermissible use or unauthorized disclosure of unsecured PHI and do not fit an exception.

• Lost or stolen unencrypted laptop, smartphone, or USB drive containing PHI.
• Ransomware or hacking incident where ePHI is accessed, exfiltrated, or its integrity is compromised.
• Email or fax with PHI sent to the wrong external recipient who is not authorized.
• Workforce “snooping” in an EHR without a need-to-know relationship to the patient.
• Posting patient details or images on social media or in public forums.
• Improper disposal of records with PHI (e.g., paper files in regular trash, un-wiped device).
• Vendor misconfiguration exposing PHI on a public server or shared drive.
• Mailing statements to the wrong address when PHI is viewable.

What to do after a likely breach

• Stop the incident, secure systems, and preserve evidence.
• Run and document the four-factor risk assessment.
• Notify affected individuals and other required parties as applicable, and implement corrective actions.

Impact of HIPAA Breaches

Breaches can trigger legal obligations, including individual notifications without unreasonable delay and within defined time frames, potential notifications to regulators and (for larger incidents) to the media, and contractual notices to Business Associates. You may also face investigations, corrective action, and civil penalties.

Operationally, breaches disrupt care workflows, consume IT and compliance resources, and may require monitoring services for affected individuals. Reputational damage erodes patient trust, while financial costs include remediation, training, and technology hardening.

Summary

A HIPAA breach occurs when there is an impermissible use or unauthorized disclosure of unsecured PHI that is not excused by an exception and for which you cannot show a low probability of compromise. Apply the four-factor analysis, check the Good Faith Exception pathways, document everything, and act swiftly to mitigate harm and fulfill your obligations.

FAQs

What constitutes a HIPAA breach?

A HIPAA breach is an impermissible use or unauthorized disclosure of unsecured PHI under the Privacy Rule that compromises the information’s security or privacy. Unless your documented assessment shows a low probability of compromise, you must treat the incident as a breach and proceed with required notifications.

What are the exceptions to a HIPAA breach?

Three exceptions—often called the Good Faith Exception—may apply: unintentional access by an authorized workforce member acting in good faith and within scope; inadvertent disclosure between two authorized persons within the same organization or arrangement; and disclosures where you have a good faith belief the unauthorized recipient could not reasonably have retained the PHI.

How is unintentional access treated under HIPAA?

If a workforce member of a Covered Entity or Business Associate accidentally accesses PHI in good faith, within their scope, and without further use or disclosure, the incident is not a breach. You should still document the event, confirm containment, and provide targeted training as needed.

What are examples of inadvertent PHI disclosure?

Common inadvertent disclosures include sending a limited-PHI message to the wrong authorized colleague within the same unit, sharing a report with the wrong care-team member who is still authorized, or forwarding a handoff note internally to the wrong authorized recipient. These are typically not breaches if both parties are authorized and you promptly contain and document the event.