What Is a HIPAA Breach? Examples, Penalties, and How to Report One

Definition of HIPAA Breach

What the law means by a breach

A HIPAA breach is an impermissible use or disclosure of Protected Health Information (PHI) that violates the Privacy Rule and compromises the security or privacy of that PHI. Electronic PHI (ePHI) is treated the same as paper or verbal PHI, and both covered entities and business associates can trigger a breach through an Impermissible Disclosure.

The risk assessment standard

HIPAA presumes an impermissible use or disclosure is a breach unless you demonstrate a low probability of compromise via a documented Risk Assessment. At minimum, evaluate: (1) the nature and extent of PHI involved, (2) who used or received it, (3) whether it was actually acquired or viewed, and (4) how effectively the risk was mitigated.

Recognized exceptions

Three common exceptions are not breaches: good-faith, unintentional access by an authorized worker within scope; inadvertent disclosure between two authorized persons within the same organization or arrangement; and disclosures where the recipient could not reasonably have retained the information.

Secured vs. unsecured PHI

The Breach Notification Rule applies to unsecured PHI. If PHI is rendered unusable, unreadable, or indecipherable—such as through strong Encryption Standards or proper destruction—notification is not required. Effective Access Controls and encryption reduce both breach likelihood and notification obligations.

Examples of HIPAA Breaches

• Lost or stolen laptops, smartphones, or USB drives containing unencrypted PHI.
• Misdirected emails or faxes that expose patient demographics, lab results, or diagnoses to the wrong recipient.
• Ransomware or other malware that exfiltrates or encrypts ePHI on unpatched systems.
• Workforce “snooping” in patient records without a legitimate treatment, payment, or operations purpose.
• Improper disposal of paper records or device media, leading to public exposure of PHI.
• Weak Access Controls (e.g., shared logins, no MFA) that allow unauthorized system access.
• Cloud misconfigurations that publicly expose databases or file shares with PHI.
• Business associate errors, such as mailing invoices with PHI to the wrong patients.

Penalties for HIPAA Breaches

Civil Monetary Penalties

HIPAA allows Civil Monetary Penalties that follow a tiered framework based on the level of culpability—from lack of knowledge to willful neglect not corrected. Amounts are applied per violation with annual caps and are adjusted for inflation. Factors such as the number of individuals affected, the sensitivity of PHI, mitigation efforts, and organizational compliance history influence final penalties.

Settlements and corrective actions

Most enforcement actions end in resolution agreements that include monetary settlements and multi‑year Corrective Action Plans. These plans often require improvements to Risk Assessment processes, policies, workforce training, and technical safeguards.

Criminal liability and other exposure

Knowingly obtaining or disclosing PHI in violation of HIPAA can carry criminal penalties, with steeper consequences for false pretenses or intent to sell or misuse the data. Individuals generally cannot sue under HIPAA itself, but state laws may allow related claims after a breach.

Reporting HIPAA Breaches

Stabilize and assess

First, contain the incident, preserve evidence, and begin your Risk Assessment. Determine whether unsecured PHI was involved and whether the low‑probability standard can be met. Document every decision and remediation step.

Notify individuals

If notification is required, inform affected individuals without unreasonable delay and no later than 60 calendar days from discovery. Notices must describe what happened (including dates), the types of PHI involved, steps individuals should take, what you are doing to mitigate the harm, and how to contact you.

Notify HHS and, if needed, the media

Report breaches affecting 500 or more individuals to HHS within 60 days of discovery and notify prominent media if 500 or more residents in a single state or jurisdiction are affected. For fewer than 500 individuals, log the incident and report it to HHS no later than 60 days after the end of the calendar year.

Business associate responsibilities

Business associates must notify the covered entity of breaches without unreasonable delay (and as specified in the business associate agreement). They must provide the identities of affected individuals and the information needed for timely notifications.

Preventing HIPAA Breaches

Governance and risk management

Perform an enterprise‑wide Risk Assessment at least annually, track remediation to completion, and enforce policies aligned with the Security Rule and the minimum necessary standard. Test your incident response plan and conduct regular tabletop exercises.

Technical safeguards

• Implement strong Access Controls: unique IDs, least privilege, role‑based access, and MFA.
• Apply Encryption Standards for data at rest and in transit; securely manage keys and backups.
• Enable audit logs and alerts; monitor anomalous activity and ePHI access patterns.
• Patch systems promptly, harden endpoints, and segment networks that store ePHI.
• Use email security, DLP, and secure disposal for media and paper.

Workforce and vendor diligence

Deliver role‑based training with phishing simulations, maintain a sanctions policy, and verify identity before disclosures. Vet vendors, execute robust business associate agreements, and review their security posture regularly.

FAQs

What constitutes a HIPAA breach?

A HIPAA breach occurs when PHI is used or disclosed in a way the Privacy Rule does not permit and the incident is not covered by an exception. Unless your documented Risk Assessment shows a low probability of compromise, the event is presumed to be a breach that triggers the Breach Notification Rule.

How are HIPAA breaches reported?

Contain the incident, complete your Risk Assessment, and notify affected individuals without unreasonable delay and no later than 60 days from discovery. Report to HHS as required, notify the media for large state‑level incidents, and ensure business associates alert covered entities promptly with all necessary details.

What penalties apply for HIPAA violations?

OCR can impose tiered Civil Monetary Penalties per violation with annual caps, adjusted for inflation. Outcomes depend on factors like willful neglect, mitigation, and prior history. Many cases result in settlements with Corrective Action Plans; egregious conduct can lead to criminal charges.

How can organizations prevent HIPAA breaches?

Build a mature compliance program: perform regular Risk Assessments, enforce strong Access Controls, encrypt data at rest and in transit, monitor and log ePHI access, train your workforce, manage vendors carefully, and rehearse incident response. These steps reduce both breach likelihood and notification exposure.