HIPAA Breach or Incident? Assessing and Investigating Accidental Disclosures

Definition of HIPAA Breach

A HIPAA breach is the acquisition, access, use, or disclosure of Protected Health Information (PHI) in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. Under the Breach Notification Rule, there is a presumption that an impermissible disclosure is a breach unless you can demonstrate a low probability that the PHI has been compromised.

“Unsecured PHI” means PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through technologies like strong encryption or secure destruction. Breach obligations attach to unsecured PHI.

• Covered Entities and Business Associates must evaluate any impermissible disclosure.
• The standard hinges on the “probability of compromise,” supported by a documented risk assessment.
• Security incidents that do not involve PHI, or involve properly secured PHI, may be incidents rather than reportable breaches.

Incident vs. Breach

An incident is any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations. A breach is a subset of incidents that meet the criteria above and are not subject to an exception.

Exceptions to Breach Definition

Certain situations are not considered breaches, even if PHI is involved:

• Unintentional access within scope: A workforce member inadvertently accesses or uses PHI in good faith and within the scope of authority, and no further impermissible use or disclosure occurs.
• Inadvertent internal disclosure: PHI is disclosed from one authorized person to another within the same Covered Entity, Organized Health Care Arrangement, or Business Associate, and the recipient is authorized to access PHI.
• Recipient could not retain the information: You have a good-faith belief that the unauthorized person could not reasonably have retained the PHI (for example, a returned unopened letter or a fax immediately retrieved and destroyed).

When Secured PHI Is Involved

If PHI is encrypted consistent with recognized standards or is securely destroyed, the event involves secured rather than unsecured PHI and is generally not a reportable breach under the Breach Notification Rule. Still, treat it as a security incident to evaluate controls and document the outcome.

Conducting Risk Assessments

To determine whether there is a low probability of compromise, apply the four core Risk Assessment Factors and document your findings:

• Nature and extent of PHI: Types of identifiers, sensitivity (e.g., diagnoses, SSNs), and risk of re-identification.
• Unauthorized person: Who used the PHI or received it (e.g., another provider vs. a member of the public) and their legal obligations to protect it.
• Whether PHI was actually acquired or viewed: Evidence from system logs, audit trails, recipient attestations, or forensic analysis.
• Mitigation: Steps taken to reduce risk, such as obtaining written confirmation of deletion, retrieving misdirected mail, or resetting credentials.

Practical Workflow

• Triage: The Privacy Officer receives the report, timestamps discovery, and opens an incident ticket.
• Containment: Stop further disclosure (e.g., recall emails, disable accounts, recover devices).
• Evidence: Preserve logs, screenshots, messages, and witness notes.
• Analysis: Score each Risk Assessment Factor (e.g., low/medium/high) and justify with facts.
• Determination: If you cannot conclude a low probability of compromise, treat the event as a breach.
• Documentation: Record rationale, approvals, and any Corrective Action Plans.

Breach Notification Requirements

When an event is a breach of unsecured PHI, you must provide notifications without unreasonable delay and no later than 60 calendar days from discovery.

Individual Notice

• Who: Affected individuals (or personal representatives).
• How: First-class mail or email if the individual has agreed to electronic notice; use substitute notice if contact information is insufficient.
• Content: Brief description of what happened; types of PHI involved; steps individuals should take; what you are doing (mitigation, investigations, Corrective Action Plans); and contact methods.

Notice to HHS

• 500 or more affected: Notify HHS contemporaneously with individual notice and no later than 60 days from discovery.
• Fewer than 500 affected: Maintain a breach log and submit to HHS no later than 60 days after the end of the calendar year of discovery.

Media Notice

• If a breach affects more than 500 residents of a single state or jurisdiction, notify prominent media outlets in that area within 60 days of discovery.

Timing and “Discovery”

• Discovery occurs on the first day the breach is known to the Covered Entity or Business Associate, or would have been known by exercising reasonable diligence.
• Start the 60-day clock at discovery; avoid waiting for complete counts if core facts are known—supplement as needed.
• Confirm whether state laws impose shorter time frames and align your plan accordingly.

Role of Business Associates

Business Associates must protect PHI under the Security Rule and certain Privacy Rule provisions, and they are directly liable for noncompliance. They also have breach reporting duties to Covered Entities.

Business Associate Agreements

• Define permitted uses/disclosures and require safeguards consistent with HIPAA.
• Mandate prompt incident and breach reporting (often faster than 60 days, per contract).
• Flow down obligations to subcontractors handling PHI.

BA Reporting Details

• Notify the Covered Entity without unreasonable delay and no later than 60 days from discovery.
• Provide identification of affected individuals, the circumstances, and information the Covered Entity needs to deliver complete notices.
• Cooperate on forensics, mitigation, and Corrective Action Plans.

Documentation and Reporting Procedures

Strong documentation supports compliance and defensibility. Make it routine and complete.

Records to Maintain

• Incident/breach logs with discovery dates, decisions, and Risk Assessment Factors.
• Notifications sent (templates, dates, recipients, and content).
• Mitigation steps, vendor communications, and recipient attestations of deletion/return.
• Policy updates, training records, sanctions applied, and evidence of technical remediation.

Privacy Officer Responsibilities

• Oversee intake, triage, and determination of incident vs. breach.
• Direct risk assessments, approvals, and final sign-off.
• Coordinate with Security, Legal, Compliance, and Business Associates.
• Ensure retention of HIPAA documentation for at least six years and readiness for audits.

Incident Response Procedures

An effective response limits harm, speeds recovery, and demonstrates compliance.

Step-by-Step Playbook

• Identify: Encourage rapid reporting by staff; centralize intake with ticketing.
• Contain: Stop the disclosure, secure accounts/devices, and isolate affected systems.
• Eradicate and Recover: Remove malicious content, patch vulnerabilities, restore clean data, and validate systems.
• Assess: Apply the Risk Assessment Factors and determine breach status.
• Notify: Follow the Breach Notification Rule timelines and required content.
• Remediate: Implement Corrective Action Plans—policy changes, access adjustments, training, and monitoring.
• Review: Conduct a post-incident review, track lessons learned, and test controls.

Common Accidental Disclosures

• Misdirected emails, faxes, or mailings to the wrong patient or vendor.
• Verbal disclosures in public areas or to unauthorized family members.
• Lost or stolen unencrypted devices, or files left in unsecured locations.
• Inappropriate workforce access to patient records without a treatment, payment, or operations purpose.

Summary

Treat every accidental disclosure as an incident, rapidly contain it, and document a fact-based risk assessment. If you cannot show a low probability of compromise for unsecured PHI, follow the Breach Notification Rule. Clear Privacy Officer oversight, strong Business Associate Agreements, and well-executed Corrective Action Plans help Covered Entities protect individuals and meet HIPAA obligations.

FAQs

What constitutes an accidental HIPAA violation?

An accidental HIPAA violation is an impermissible use or disclosure of PHI caused by mistake—such as sending a record to the wrong recipient, discussing PHI where it can be overheard, or losing an unencrypted device. You must treat it as an incident, contain it, and evaluate whether it is a reportable breach using the Risk Assessment Factors.

How should a covered entity conduct a HIPAA breach risk assessment?

Document a structured review of the four factors: the nature and extent of PHI, who received it, whether it was actually acquired or viewed, and the effectiveness of mitigation. Support conclusions with logs, attestations, and forensics. If a low probability of compromise cannot be demonstrated, treat the event as a breach.

When must breach notifications be reported?

Provide notices without unreasonable delay and no later than 60 calendar days from discovery. Individuals must be notified directly; HHS must be notified within 60 days for breaches affecting 500 or more individuals and annually for smaller breaches; and media notice is required if more than 500 residents of a state or jurisdiction are affected.

What roles do business associates play in breach investigations?

Business Associates must investigate incidents involving PHI they handle, mitigate harm, and notify the Covered Entity without unreasonable delay (no later than 60 days). Business Associate Agreements often require faster reporting and cooperation, including supplying affected individual lists, forensic findings, and details needed for the Covered Entity’s breach notifications.