What Is a PHI Breach? HIPAA Definition, Examples, and How to Report It

Definition of PHI Breach

A PHI breach is the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the information. Unless you can show a low probability that the data was compromised using a documented risk assessment, the incident is presumed to be a breach.

PHI includes any individually identifiable health information, whether on paper, verbally communicated, or in electronic form (ePHI). The HIPAA Breach Notification Rule specifically applies to breaches of Unsecured Protected Health Information—PHI that has not been rendered unusable, unreadable, or indecipherable through approved methods such as strong encryption or proper destruction.

In practice, a PHI breach triggers obligations for Covered Entities (health plans, most providers, and clearinghouses) and their Business Associates (vendors handling PHI) to investigate, document, and, when required, notify affected parties and regulators.

Examples of PHI Breaches

Real-world incidents vary widely, but common patterns recur. Use these examples to benchmark your own controls and response playbooks.

• Lost or stolen devices: An unencrypted laptop, smartphone, or USB drive containing patient lists, diagnoses, or billing data is misplaced or stolen.
• Misdirected communications: An email with lab results is sent to the wrong patient, or discharge paperwork is mailed to an outdated address.
• Cloud misconfiguration: An ePHI database or storage bucket is exposed to the internet due to incorrect access controls.
• Phishing and account takeover: An employee’s email is compromised, exposing messages with appointment details, insurance IDs, or clinical notes.
• Unauthorized snooping: A workforce member without a need to know looks up a neighbor’s or celebrity’s record.
• Ransomware or malware: Malicious encryption or exfiltration of ePHI occurs; unless you can demonstrate a low probability of compromise, this is typically a breach.
• Improper disposal: Paper charts or prescription labels are discarded in regular trash rather than destroyed; similarly, media is resold without secure wiping.
• Vendor incidents: A billing company, transcription service, or IT provider (a Business Associate) exposes PHI through a system error or subcontractor lapse.

Reporting PHI Breaches

When you suspect a PHI breach, move quickly and methodically. The HIPAA Breach Notification Rule requires timely action and documentation.

• Contain and preserve: Secure accounts, devices, and systems; disable compromised credentials; and preserve logs and evidence.
• Verify scope: Determine whether PHI is involved, whether it is Unsecured Protected Health Information, and which individuals and data elements are affected.
• Assess risk: Apply the required risk assessment methodology to decide if breach notification is necessary.
• Document decisions: Record facts, analysis, and conclusions, including your Breach Notification Timeline and mitigation steps.

Notification responsibilities differ by role. Covered Entities must notify affected individuals and the U.S. Department of Health and Human Services (HHS) when a reportable breach occurs; they must also notify prominent media if the breach affects more than 500 residents in a state or jurisdiction. Business Associates must notify the Covered Entity without unreasonable delay (and no later than 60 days after discovery), providing the identities of affected individuals and all information needed for the notices.

Timelines matter. Individual notice must be provided without unreasonable delay and in no case later than 60 calendar days after discovery. For breaches affecting 500 or more individuals, the Covered Entity must notify HHS within the same 60-day outer limit; for fewer than 500, HHS may be notified via the annual log within 60 days of the end of the calendar year. If more than 500 residents of a single state or jurisdiction are affected, media notice is also required within 60 days. A documented law enforcement delay may temporarily pause notifications.

Content of notices should include a brief description of what happened, the types of PHI involved, steps individuals should take to protect themselves, what your organization is doing to investigate and mitigate the harm, and contact information. Use first-class mail or email if the individual has agreed to electronic notice, and provide substitute notice when contact information is insufficient.

Exceptions to Breach Definition

Some incidents are not breaches under HIPAA, even if PHI is involved. Understanding these exceptions helps you respond proportionately.

• Good-faith, unintentional access: A workforce member accidentally accesses PHI while performing duties, with no further improper use or disclosure.
• Inadvertent disclosure to an authorized person: PHI is shared between two workforce members or Business Associates who are each authorized to access the information, and it is not further misused.
• Good-faith belief of non-retention: You have a good-faith belief the unauthorized recipient could not reasonably have retained the information (for example, a sealed letter returned unopened, or a misdirected email promptly deleted without being accessed).

Additionally, if PHI is secured under recognized Encryption Standards or has been properly destroyed, it is not “unsecured,” and the Breach Notification Rule is not triggered by its loss or theft.

Risk Assessment for Breach Notification

HIPAA requires you to evaluate and document the probability that PHI has been compromised before deciding whether to notify. A sound risk assessment methodology addresses four mandatory factors and any additional relevant considerations.

• Nature and extent of PHI: Identify data elements (e.g., names, SSNs, diagnoses, medications). Sensitive identifiers and clinical content increase risk.
• Unauthorized person: Consider who received or accessed the PHI and their ability to re-identify or misuse it.
• Whether PHI was actually acquired or viewed: Use logs, DLP alerts, forensic artifacts, and recipient attestations to determine exposure depth.
• Mitigation: Evaluate steps taken—e.g., immediate password resets, remote wipe, recipient confirmation of deletion, or retrieval of documents—and their effectiveness.

Translate these factors into a reasoned, documented conclusion. Many organizations use a qualitative matrix (e.g., low, moderate, high) mapped to notification decisions. Keep evidence, analysis notes, leadership sign-off, and timelines together to support audits and demonstrate diligence.

Penalties for Non-Compliance

HIPAA’s civil penalty structure has four tiers, ranging from violations where you could not have known with reasonable diligence to willful neglect not corrected. Penalties are assessed per violation with annual caps and are adjusted periodically for inflation; total exposure can reach millions of dollars in a single year depending on scope and aggravating factors.

Failure to report a PHI breach when required frequently elevates the enforcement posture, leading to larger settlements, corrective action plans, and ongoing monitoring by regulators. Criminal penalties may apply for knowingly obtaining or disclosing PHI under false pretenses or with intent to profit or cause harm.

Regulators weigh factors such as the number of individuals affected, duration of noncompliance, the absence of Encryption Standards, inadequate policies, repeat history, and cooperation during investigations.

Preventive Measures for PHI Security

Strong prevention reduces breach likelihood and impact while improving defensibility if an incident occurs. Focus on practical, layered safeguards that map to HIPAA’s administrative, physical, and technical requirements.

• Governance and training: Maintain current policies, role-based training, phishing simulations, sanctions, and documented risk analyses and audits.
• Access control: Enforce least-privilege, role-based access, multi-factor authentication, and rapid deprovisioning; monitor access to high-risk records.
• Data protection: Apply Encryption Standards to ePHI at rest and in transit (e.g., AES-256, TLS 1.2+ with FIPS-validated cryptography), enable device encryption and remote wipe, and use secure backups with immutable storage.
• Email and endpoint security: Deploy advanced phishing defenses, data loss prevention, mobile device management, and patch/vulnerability management.
• Vendor and Business Associate oversight: Execute and maintain Business Associate Agreements, assess security posture, and flow down controls to subcontractors.
• Secure development and cloud hygiene: Implement least-privilege identities, network segmentation, logging, and configuration baselines; continuously scan for misconfigurations.
• Incident response readiness: Maintain a tested breach response plan, on-call roles, legal/pr compliance playbooks, and clear criteria for invoking notification.
• Secure disposal and media handling: Use certified destruction for paper and sanitize or destroy electronic media before reuse or disposal.

Key takeaways: define what a PHI breach is, document a defensible risk assessment, and act within the Breach Notification Timeline. Combine strong encryption, disciplined access control, vigilant vendors, and a tested response plan to reduce both breach likelihood and regulatory risk.

FAQs

What constitutes a PHI breach under HIPAA?

A PHI breach is any acquisition, access, use, or disclosure of PHI that violates the Privacy Rule and compromises the information’s security or privacy. Unless your documented assessment shows a low probability of compromise, the incident is presumed a breach. Three narrow exceptions may apply: good-faith, unintentional access; inadvertent disclosure between authorized persons; or a good-faith belief that the recipient could not reasonably retain the information.

How soon must a PHI breach be reported?

Provide individual notices without unreasonable delay and no later than 60 calendar days after discovery. If 500 or more individuals are affected, notify HHS within the same 60-day outer limit and prominent media when 500+ residents of a state or jurisdiction are impacted. For fewer than 500 individuals, report to HHS via the annual log within 60 days after the calendar year ends. Business Associates must notify the Covered Entity without unreasonable delay and no later than 60 days.

Who is responsible for reporting PHI breaches?

The Covered Entity is responsible for notifying affected individuals, HHS, and, when applicable, the media. Business Associates must notify the Covered Entity and supply all information needed for the notices. Contracts may delegate tasks, but regulatory accountability ultimately rests with the Covered Entity for its workforce and vendors.

What are the penalties for failing to report a PHI breach?

Penalties escalate under HIPAA’s four-tier civil structure and can reach millions of dollars annually depending on violation scope and aggravating factors. Failure to report typically increases enforcement severity and can lead to costly settlements, corrective action plans, and potential criminal exposure when misconduct is intentional or deceptive.