What Is a HIPAA Breach? Definition, Examples, and Reporting Requirements

Definition of HIPAA Breach

A HIPAA breach is an impermissible use or disclosure of protected health information (PHI) under the Privacy Rule that compromises the privacy or security of the data. Under the Breach Notification Rule, you must presume a breach occurred unless a documented risk assessment shows a low probability that PHI was compromised.

Who must comply

The rule applies to covered entities—health care providers, health plans, and health care clearinghouses—and to their business associates that create, receive, maintain, or transmit PHI on their behalf.

Unsecured vs. secured PHI

Notification duties apply only to “unsecured PHI,” meaning data not rendered unusable, unreadable, or indecipherable to unauthorized persons. Effective data encryption (and proper key management) or proper destruction provides a safe harbor because encrypted or destroyed PHI is considered secured.

Regulatory exceptions

• Good-faith, unintentional access or use by a workforce member within scope of authority, with no further impermissible disclosure.
• Inadvertent disclosure from one authorized person to another within the same covered entity, business associate, or organized health care arrangement, without further misuse.
• Situations where you have a good-faith belief the unauthorized recipient could not reasonably have retained the information.

Common Examples of HIPAA Breaches

• Lost or stolen laptops, smartphones, or USB drives lacking data encryption.
• Misdirected email or fax containing diagnoses, lab results, Social Security numbers, or insurance IDs.
• Ransomware, malware, or hacking of ePHI systems or patient portals.
• Unauthorized “snooping” by workforce members into records of friends, family, or celebrities.
• Improper disposal of paper charts or media, such as records found in regular trash.
• Cloud storage or database misconfiguration by business associates exposing PHI to the public internet.
• Sharing PHI on social media or in public areas, including photos where patient information is visible.

Not every incident is a breach. Apply the risk assessment to determine whether there is a low probability of compromise before deciding on notification.

Risk Assessment Procedures

Conduct and document a thorough risk assessment immediately after discovery. This analysis determines whether there is a low probability that PHI was compromised and directs your next steps under the Breach Notification Rule.

The four-factor analysis

1. Nature and extent of PHI involved: sensitivity (e.g., diagnoses, SSNs), volume, and likelihood of re-identification.
2. Unauthorized person: who used or received the PHI and whether they are obligated to protect confidentiality.
3. Whether PHI was actually acquired or viewed: forensic logs, access reports, and audit trails are key evidence.
4. Extent of mitigation: prompt retrieval, secure deletion, remote wipe, or written assurances reduce risk.

Practical steps

• Contain the incident: disable accounts, revoke credentials, isolate affected systems, and initiate remote wipe where possible.
• Preserve evidence: keep logs, screenshots, and timelines to support your findings.
• Engage necessary partners: coordinate with business associates, IT security, and legal counsel.
• Decide and document: if risk remains more than low, treat the event as a reportable breach; keep records for at least six years.

Role of data encryption

If PHI was encrypted according to industry standards and keys were not compromised, the incident typically does not involve unsecured PHI and may not trigger notification. Still, record your analysis and mitigation.

Individual Notification Requirements

If the assessment shows more than a low probability of compromise, you must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.

Method and content of notice

• Method: first-class mail to the last known address, or email if the individual has agreed to receive electronic notices.
• Urgent situations: use telephone or other expedient means if potential harm is imminent.
• Content: a plain-language description of what happened (including date of breach and discovery), types of PHI involved, steps individuals should take, what you are doing to mitigate harm and prevent recurrence, and contact information for questions (e.g., toll-free number, email, postal address).

Substitute notice

• If fewer than 10 individuals are unreachable, use an alternative method such as telephone.
• If 10 or more are unreachable, provide substitute notice via a conspicuous posting on your website or via major print/broadcast media in the areas where affected individuals reside, and maintain a toll-free number active for at least 90 days.

Reporting to the Secretary of Health and Human Services

Covered entities must also notify the Secretary under the Breach Notification Rule; business associates notify the covered entity and provide details needed for downstream notices.

Timing thresholds

• Breaches involving 500 or more individuals: report to HHS without unreasonable delay and in no case later than 60 calendar days after discovery.
• Breaches involving fewer than 500 individuals: log each event and submit to HHS no later than 60 days after the end of the calendar year in which the breaches were discovered.

What to include

• Number of affected individuals, incident dates, discovery date, and a narrative of what occurred.
• Types of PHI involved and mitigation steps taken.
• Notifications sent, including to individuals and media if applicable.

Coordinate closely with business associates. Contractual terms should require timely BA reporting (often far shorter than 60 days) so you can meet your federal deadlines.

Media Notification Obligations

If a breach involves 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 calendar days after discovery.

The media notice should mirror the individual notice in clarity and content. Issue a press release or equivalent statement and prepare consistent messaging for inquiries. Media notice is in addition to individual and HHS notifications.

Compliance Policies and Employee Training

Strong compliance practices reduce breach risk and improve response readiness. Establish clear policies, train your workforce, and enforce accountability through appropriate workforce sanctions for violations.

Core program elements

• Governance: designate privacy and security officials; define incident response roles and escalation paths.
• Policies and procedures: access controls, minimum necessary, device/media controls, secure disposal, and vendor management for business associates.
• Technical safeguards: robust data encryption, multi-factor authentication, network segmentation, patching, and continuous auditing of access logs.
• Training and awareness: new-hire onboarding, annual refreshers, phishing simulations, and role-based training for high-risk functions.
• Testing and drills: tabletop exercises to practice containment, risk assessment, and notification workflows.
• Enforcement and documentation: apply workforce sanctions consistently and retain required documentation for at least six years.

Conclusion

Knowing what qualifies as a HIPAA breach, how to analyze risk, and when to notify individuals, HHS, and the media positions you to act quickly and lawfully. Embed prevention—especially encryption and strong training—so incidents are contained early and obligations are met with confidence.

FAQs

What constitutes a HIPAA breach?

A HIPAA breach is an impermissible use or disclosure of PHI that compromises its privacy or security. Unless your documented risk assessment shows a low probability of compromise—or a specific exception applies—you must treat the incident as a reportable breach of unsecured PHI.

How soon must individuals be notified after a breach?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovering the breach. If there is an imminent risk of harm, provide notice more quickly using telephone or other expedient methods.

When must a breach be reported to the Secretary of Health and Human Services?

For breaches affecting 500 or more individuals, report to HHS without unreasonable delay and in no case later than 60 days after discovery. For breaches affecting fewer than 500 individuals, record each incident and submit an annual report to HHS no later than 60 days after the end of the calendar year.

What are the media notification requirements for a HIPAA breach?

If a breach affects 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 days after discovery. Media notice supplements—not replaces—individual and HHS notifications.