Under HIPAA, Who Determines If an Impermissible Disclosure Is a Reportable Breach?

Determination of Reportable Breach

Under HIPAA, the entity that experiences or discovers the incident makes the call. That means the covered entity or the business associate that becomes aware of an impermissible use or unauthorized disclosure of protected health information (PHI) must determine whether it rises to a reportable breach.

In practice, you route incidents to your designated privacy official (with support from the security official). Business associates must investigate and, if a breach of unsecured PHI is likely, notify the relevant covered entity as required by the business associate agreement. The covered entity typically leads any external breach notification, though agreements can delegate tasks.

Always start by confirming whether PHI was involved and whether it was “unsecured” (not rendered unusable or unreadable via approved encryption or destruction). If PHI is not involved—or it was secured—HIPAA breach notification rules do not apply, though internal HIPAA compliance follow‑up may still be warranted.

Risk Assessment Process

HIPAA requires a documented, fact‑specific risk assessment to decide if an impermissible disclosure constitutes a reportable breach. You must evaluate the probability that PHI has been compromised using four required factors; do not substitute a “harm” test or rely on intuition.

The four required factors

• Nature and extent of PHI involved: Identify what data elements were exposed (for example, names and medical record numbers versus full clinical notes, diagnoses, SSNs). Consider sensitivity and the likelihood of re‑identification.
• Unauthorized person who used or received the PHI: Assess the recipient’s role and obligations. Exposure to another covered entity or business associate under a duty to protect PHI generally lowers risk compared with disclosure to an unknown individual.
• Whether the PHI was actually acquired or viewed: Use evidence such as access logs, email bounce‑backs, encryption status, or unopened returned mail to determine if anyone actually saw or retained the information.
• Extent to which the risk has been mitigated: Consider confirmed destruction or return of the data, remote wipe verification, recipient attestations, and technical safeguards that limited the exposure.

How to conduct and document the assessment

Move quickly to contain the incident, gather facts, and evaluate each factor with objective evidence. Avoid mechanical scoring; instead, reach a reasoned determination supported by your findings. Record who investigated, key timelines, evidence reviewed, and the final conclusion with rationale. This documentation is critical to demonstrate HIPAA compliance.

Presumption of Breach

HIPAA presumes that any impermissible use or disclosure of unsecured PHI is a breach requiring notification. You can rebut that presumption only if your documented risk assessment shows a low probability that the PHI has been compromised, based on the four factors.

The burden of proof is on you—the covered entity or business associate—to show that notification was not required, or that required notices were provided properly. If the evidence is inconclusive, treat the incident as a reportable breach.

Practical illustrations

• Misdirected fax to another provider who promptly confirms destruction lowers risk and may rebut the presumption.
• A stolen, fully encrypted laptop generally does not involve “unsecured PHI,” so the breach rule is not triggered.
• An email with lab results sent to an unknown Gmail address with no mitigation evidence typically remains a reportable breach.

Exceptions to Breach Definition

Three narrow exceptions mean an impermissible use or disclosure is not a breach:

• Unintentional acquisition, access, or use of PHI by a workforce member or person acting under authority of a covered entity or business associate, in good faith and within scope, and not resulting in further impermissible use or disclosure.
• Inadvertent disclosure by a person authorized to access PHI to another person authorized to access PHI within the same covered entity, business associate, or organized health care arrangement, with no further impermissible use or disclosure.
• Disclosure where you have a good‑faith belief the unauthorized recipient could not reasonably have retained the information (for example, unopened, returned mail or an email auto‑bounce).

Separately, if PHI was properly encrypted or destroyed according to recognized standards, it is not “unsecured PHI,” so the breach notification rule does not apply. De‑identified data also falls outside the breach framework.

Notification Requirements

Notice to affected individuals

If the incident is a reportable breach, you must provide written breach notification to affected individuals without unreasonable delay. The notice must include: a brief description of what happened (including date of breach and discovery, if known); the types of PHI involved; steps individuals should take to protect themselves; what you are doing to investigate, mitigate harm, and prevent recurrence; and contact methods for questions (toll‑free number, email, or postal address).

Notice to the Department of Health and Human Services

You must notify HHS of all reportable breaches. For breaches affecting 500 or more individuals in a state or jurisdiction, you report contemporaneously with individual notices. For breaches affecting fewer than 500 individuals, you log them and submit to HHS no later than 60 days after the end of the calendar year in which they were discovered.

Media notice for large breaches

For breaches affecting 500 or more residents of a state or jurisdiction, you must notify prominent media outlets in that area within the same timeframe as individual notices. Media notice supplements, but does not replace, direct notice to individuals.

Business associate to covered entity notice

Business associates must notify the covered entity of breaches of unsecured PHI they discover, and supply the information needed for the covered entity’s individual and HHS notices, including the identities (if known) of affected individuals and a description of the incident and mitigation.

Methods and substitutes for notice

Provide individual notice by first‑class mail, or by email if the individual has agreed to electronic delivery. If contact information for fewer than 10 individuals is insufficient, use an alternative method (for example, phone). If contact information for 10 or more individuals is insufficient, provide substitute notice, such as a conspicuous website posting for at least 90 days with a toll‑free number active for at least 90 days.

Timing of Notifications

All breach notifications must be sent without unreasonable delay and no later than 60 calendar days after discovery. “Discovery” occurs on the first day the breach is known to you—or would have been known by exercising reasonable diligence—by any workforce member or agent, other than the person who committed the incident.

• Individuals: Without unreasonable delay, never more than 60 days from discovery.
• HHS: For 500+ individuals, within the same 60‑day window; for fewer than 500, no later than 60 days after the end of the calendar year of discovery.
• Media: For 500+ residents of a state or jurisdiction, within the same 60‑day window.
• Business associate to covered entity: Without unreasonable delay and no later than 60 days from discovery, subject to any shorter period in the business associate agreement.

Law enforcement delay: If a law enforcement official states that notice would impede a criminal investigation or threaten national security, you must delay notification for the time specified (or, for an oral statement, up to 30 days unless extended by a written statement).

Documentation and Compliance

Recordkeeping and retention

Maintain written policies and procedures, incident logs, risk assessments, breach determinations, copies of notifications, and evidence of mitigation for at least six years. Your files must show either that notification was made as required or that a low probability of compromise was properly determined.

Program controls that reduce breach risk

• Encrypt ePHI at rest and in transit; enable remote wipe and device tracking.
• Limit access using role‑based controls and the minimum necessary standard; monitor with audit logs and alerts.
• Train workforce members on privacy, security, and reporting obligations; apply sanctions for violations.
• Harden vendor management: execute robust business associate agreements, review security practices, and define notification timelines.
• Use data loss prevention, email safeguards, and secure fax/workflow tools to prevent unauthorized disclosure.

Making defensible decisions

Establish a repeatable triage and risk assessment workflow, require contemporaneous documentation, and convene a cross‑functional review (privacy, security, legal, compliance). This ensures consistent determinations, timely breach notification, and strong HIPAA compliance posture.

Conclusion

The entity that discovers the incident—covered entity or business associate—decides whether an impermissible disclosure is a reportable breach. Apply the four‑factor risk assessment, remember the presumption of breach, confirm whether an exception or safe harbor applies, meet all breach notification content and timing rules, and document every step to demonstrate compliance.

FAQs

Who is responsible for determining a reportable breach under HIPAA?

The covered entity or business associate that discovers the incident is responsible. Business associates must investigate and notify the covered entity about breaches of unsecured PHI, and the covered entity generally leads individual, media, and HHS breach notification unless delegated by agreement.

What factors are considered in the HIPAA breach risk assessment?

HIPAA requires you to evaluate: (1) the nature and extent of PHI involved, including sensitivity and identifiability; (2) the identity and obligations of the unauthorized recipient; (3) whether the PHI was actually acquired or viewed; and (4) the extent of mitigation (for example, verified destruction or remote wipe). Your documented analysis must show a low probability of compromise to avoid notification.

When are breach notification requirements triggered?

They are triggered when there is an impermissible use or disclosure of unsecured PHI, none of the three exceptions apply, and you cannot demonstrate a low probability that the PHI was compromised. In that case, you must notify affected individuals (and, when applicable, HHS and the media) within the required timeframes.

What exceptions exist to the HIPAA breach definition?

Exceptions include: (1) good‑faith, unintentional access or use by an authorized person within scope and without further improper disclosure; (2) inadvertent disclosure between two authorized persons within the same covered entity, business associate, or organized health care arrangement without further improper disclosure; and (3) disclosures where the recipient could not reasonably have retained the information. Additionally, properly encrypted or destroyed PHI is not “unsecured,” so the breach rule does not apply.