Understanding the HIPAA Breach Notification Rule: Definitions, Exceptions, Examples

Understanding the HIPAA Breach Notification Rule helps you respond decisively when Protected Health Information (PHI) is exposed. This guide clarifies what counts as a breach, the limited exceptions, how to run a defensible risk assessment, required notices and Notification Timelines, and how “unsecured PHI” is defined, with practical examples throughout.

Definition of Breach

A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the information. A breach is presumed unless you demonstrate, through a documented risk assessment, a low probability that the PHI has been compromised.

The definition applies to PHI in any form—electronic, paper, or oral—and includes both internal misuse and Unauthorized Disclosure to external parties. For Breach Notification Rule purposes, notification obligations attach when the incident involves unsecured PHI.

Key elements

• Impermissible use or disclosure of PHI under the Privacy Rule.
• Presumption of breach unless a risk assessment shows low probability of compromise.
• Discovery occurs when the incident is known or should reasonably have been known with due diligence.

Examples

• A stolen, unencrypted laptop containing patient demographics and diagnoses.
• Misdirected discharge summaries emailed to a non-work address outside your organization.
• A business associate accidentally posting PHI to a public website.

Exceptions to Breach Definition

HIPAA recognizes narrow exceptions where an incident is not a breach. These Workforce Member Exceptions and related carve-outs reflect scenarios where risk is inherently limited and quickly contained.

• Unintentional acquisition, access, or use of PHI by a workforce member or person acting under a covered entity’s or business associate’s authority, in good faith and within scope, with no further impermissible use or disclosure.
• Inadvertent disclosure by an authorized person to another authorized person within the same covered entity, business associate, or organized health care arrangement, with no further impermissible use.
• Good-faith belief that the unauthorized recipient could not reasonably have retained the information (for example, mail returned unopened or a device immediately secured before data could be viewed).

Examples

• A nurse opens the wrong patient chart but immediately closes it and reports the error; no screenshots or further disclosure occur.
• A physician emails PHI to another authorized clinician within the same covered entity to coordinate care.
• A patient summary is handed to the wrong patient in the lobby, retrieved at once before it is read.

Risk Assessment Factors

To rebut the presumption of breach, you must apply Risk Assessment Protocols and document how the probability of compromise is low. HIPAA requires consideration of at least four factors; your analysis should be consistent, repeatable, and auditable.

• Nature and extent of PHI involved, including identifiers and the likelihood of re-identification (for example, SSNs, diagnoses, treatment plans, account numbers).
• The unauthorized person who used the PHI or to whom the disclosure was made (including whether they have legal or professional duties to protect confidentiality).
• Whether the PHI was actually acquired or viewed, versus only exposed in theory.
• The extent to which the risk has been mitigated (for example, retrieval, verified deletion, or written assurances limiting use and disclosure).

Applying risk assessment protocols

• Immediately contain the incident, preserve logs, and confirm scope across systems and paper records.
• Catalog data elements involved and evaluate sensitivity and re-identification risk.
• Identify recipients, determine if PHI was accessed or exfiltrated, and seek mitigation (return, secure deletion, attestations).
• Decide and document whether notification is required; retain your assessment and rationale as part of Covered Entities Compliance obligations.

Notification Requirements

When a reportable breach of unsecured PHI occurs, covered entities must notify affected individuals, the U.S. Department of Health and Human Services (HHS), and, in certain cases, the media. Business associates must notify the covered entity. Your Notification Timelines, recipients, and content must meet HIPAA’s specifications.

Who notifies whom

• Business associate to covered entity: without unreasonable delay and no later than 60 days after discovery, providing identities of affected individuals and known details.
• Covered entity to individuals: without unreasonable delay and no later than 60 days after discovery.
• Covered entity to HHS: for breaches affecting 500 or more individuals, without unreasonable delay and within 60 days of discovery; for fewer than 500 individuals, report to HHS within 60 days after the end of the calendar year in which the breaches were discovered.
• Media notice: if a breach affects more than 500 residents of a state or jurisdiction, notify prominent media in that area within the same 60-day outer limit.

Content and method of notice

• Content must include: a brief description of the breach (including dates), the types of PHI involved, steps individuals should take to protect themselves, what you are doing to investigate/mitigate/prevent, and contact information.
• Method: first-class mail to the last known address or email if the individual has agreed; provide alternative or substitute notice when contact information is insufficient.

Special situations

• Substitute notice: for fewer than 10 individuals, use an alternative method (for example, telephone); for 10 or more with insufficient contact info, use a website posting or broad media notice.
• Law-enforcement delay: delay notification if an authorized official states that notice would impede an investigation or threaten national security; resume once the delay period ends.
• Documentation: maintain incident logs, risk assessments, and copies of notices to demonstrate Covered Entities Compliance.

Unsecured PHI Definition

Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through technology or methodology specified by HHS. When PHI is properly secured, an incident may not be a reportable breach even if a device or record is lost or stolen.

What makes PHI “secured”

• Encryption using Data Encryption Standards consistent with NIST guidance, employing FIPS 140-2 or 140-3 validated cryptographic modules for data in transit and at rest.
• Proper destruction: paper and film are shredded or otherwise destroyed so PHI cannot be read or reconstructed; electronic media are cleared, purged, or destroyed consistent with recognized sanitization guidance.

Examples

• A stolen laptop protected by full-disk encryption using a FIPS-validated module is typically not a breach requiring notification.
• An unencrypted USB drive with visit summaries lost in transit involves unsecured PHI and likely triggers notification.
• Paper records shredded per policy are secured; records left in an unlocked bin are not.

Conclusion

The HIPAA Breach Notification Rule hinges on three pillars: a precise breach definition, a documented risk assessment, and timely, content-rich notifications when unsecured PHI is involved. By hardening systems with strong Data Encryption Standards, training staff to prevent Unauthorized Disclosure, and rigorously documenting Risk Assessment Protocols, you strengthen Covered Entities Compliance and reduce the likelihood and impact of reportable events.

FAQs

What constitutes a breach under the HIPAA rule?

A breach is an impermissible acquisition, access, use, or disclosure of PHI that compromises its security or privacy. It is presumed a breach unless a documented assessment shows a low probability of compromise based on HIPAA’s required factors.

When are notifications required after a breach?

Notify affected individuals without unreasonable delay and no later than 60 days after discovery. Notify HHS within 60 days for incidents affecting 500 or more individuals (and the media if 500+ residents of a state/jurisdiction are affected). For fewer than 500, log and report to HHS within 60 days after the calendar year ends.

What exceptions exist to the breach definition?

Three exceptions apply: certain good-faith, within-scope workforce actions; inadvertent disclosures between authorized persons within the same entity or arrangement; and situations where the recipient could not reasonably have retained the information. If an exception applies, the incident is not a breach.

How is unsecured PHI defined under HIPAA?

Unsecured PHI is PHI not rendered unusable, unreadable, or indecipherable to unauthorized individuals through appropriate encryption or destruction. When PHI is protected with recognized encryption or properly destroyed, it is considered secured and typically does not trigger breach notification duties.