What Is Considered a Breach of PHI Under HIPAA? Examples and What To Do Next

Under HIPAA, a breach of Protected Health Information (PHI) is an impermissible use or disclosure that compromises the privacy or security of that information. Unless you can show a low probability of compromise through a documented risk assessment, it is presumed to be a breach. Understanding what counts—and how to respond—helps you maintain HIPAA Compliance and meet the Breach Notification Rule.

Unauthorized Access to PHI

What it means

Unauthorized access occurs when someone views, uses, or retrieves PHI without a valid job-based reason or patient authorization. Weak Access Control Policies, shared logins, or absent audit trails often sit at the root of these incidents.

Examples

• Workforce “snooping” on a family member’s chart without treatment need.
• Using a shared workstation left unlocked to open patient records.
• Accessing entire charts when only the “minimum necessary” data was needed.
• Third parties viewing PHI because a role or access profile was misconfigured.
• Former employees retaining access after termination.

What to do next

• Immediately revoke improper access; secure accounts, change passwords, and enable MFA.
• Preserve system logs and perform the four-factor risk assessment (data sensitivity, recipient, whether it was actually viewed/acquired, and mitigation).
• Apply sanctions, retrain staff, and tighten Access Control Policies (unique IDs, role-based access, automatic logoff, routine access reviews).
• If risk is not low, begin Data Breach Notification steps consistent with the Breach Notification Rule.

Loss or Theft of Devices Containing PHI

What it means

Unencrypted laptops, phones, tablets, USB drives, or backup media that are lost or stolen often trigger a breach. If strong device-level encryption meeting recognized Encryption Standards was in place and the key wasn’t compromised, the incident may not be a reportable breach.

Examples

• A stolen unencrypted laptop containing patient schedules and lab results.
• A lost mobile phone with locally cached PHI and no passcode.
• Misplaced USB drive used to transfer billing data.
• Backup tapes sent to storage that never arrive.

What to do next

• Attempt recovery and execute remote lock/wipe; rotate credentials and invalidate app tokens.
• Verify encryption status and device inventory; document whether keys or passwords were exposed.
• Conduct the risk assessment and decide on Data Breach Notification.
• Strengthen controls: full-disk encryption, MDM, automatic screen lock, prohibit local PHI storage, and secure backups.

Improper Disposal of PHI

What it means

Discarding PHI without rendering it unreadable or indecipherable is improper disposal. That includes paper, labels, films, and electronic media that still contain recoverable data.

Examples

• Placing patient documents in regular trash or open recycling bins.
• Donating or reselling copiers, drives, or phones without secure wiping.
• Leaving labeled prescription bottles or wristbands in public receptacles.
• Using a vendor for shredding or e-waste without adequate assurances.

What to do next

• Retrieve exposed materials and secure the area; confirm what was actually accessible.
• For paper, use cross-cut shredding or pulping; for media, follow approved sanitization/destruction methods.
• Adopt a disposal policy, train staff, and use certified vendors under a Business Associate Agreement when handling PHI.
• Perform the risk assessment and notify as required.

Unauthorized Disclosure of PHI

What it means

Disclosures occur when PHI is sent or revealed to someone not authorized to receive it. Many events stem from process errors rather than hacking—but they can still be breaches.

Examples

• Faxing or emailing records to the wrong recipient.
• Using “CC” instead of “BCC” in a patient email.
• Posting identifiable details on social media or in marketing without authorization.
• Discussing a patient in public areas where others can overhear.

What to do next

• Attempt recall or secure deletion; ask unintended recipients to destroy the information and confirm in writing.
• Assess what data was disclosed and to whom; consider the recipient’s legal duty to protect confidentiality.
• Remediate workflows (verification steps, templates with minimum necessary data, secure messaging).
• Proceed with Data Breach Notification if the risk of compromise is not low.

Failure to Implement Safeguards for PHI

What it means

HIPAA’s Security Rule requires administrative, physical, and technical safeguards. Gaps—like no risk analysis, weak Access Control Policies, or missing encryption—raise breach likelihood and can themselves lead to violations.

Examples

• No documented risk analysis or risk management plan.
• Lack of audit logging, monitoring, or timely patching.
• No MFA for remote access or EHR accounts.
• Storing PHI unencrypted contrary to Encryption Standards.
• Insufficient workforce training and sanction policies.

What to do next

• Complete a comprehensive risk analysis; prioritize high-impact remediation.
• Implement role-based access, MFA, encryption at rest/in transit, and routine log reviews.
• Establish incident response, backup/restore, and vendor risk management processes.
• Train staff annually and at onboarding; document all safeguards and updates.

Failure to Enter into Business Associate Agreements

What it means

Before sharing PHI with a vendor that creates, receives, maintains, or transmits PHI on your behalf, you must have a written Business Associate Agreement (BAA). The BAA sets permitted uses, required safeguards, subcontractor flow-downs, and Data Breach Notification duties.

Examples

• Using a cloud storage, billing, or EHR vendor without a signed BAA.
• Engaging a shredding or e-waste company that handles PHI without a BAA.
• Employing a marketing, transcription, or call center service that touches PHI without a BAA.

What to do next

• Inventory all vendors; identify which qualify as business associates.
• Execute BAAs before sharing PHI; ensure subcontractors are bound by equivalent terms.
• Verify security commitments (Access Control Policies, Encryption Standards, breach reporting timelines).
• If PHI was disclosed without a BAA, treat it as a potential breach and assess notification duties.

Failure to Notify Affected Individuals of a Breach

What it means

The Breach Notification Rule requires you to notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery, unless a documented risk assessment shows a low probability of compromise. Larger incidents also trigger regulator and media notices.

Requirements and timing

• Individuals: Written notice by first-class mail (or email if previously agreed) within 60 days of discovery.
• 500 or more individuals in a state/territory: Notify prominent media in that area within 60 days.
• HHS notice: For 500 or more, within 60 days of discovery; for fewer than 500, within 60 days after the end of the calendar year.
• Content: Brief description of the incident, types of PHI involved, steps individuals should take, what you are doing to investigate/mitigate/prevent, and contact information.

What to do next

• Establish the discovery date, open an incident file, and complete the risk assessment promptly.
• Draft clear notifications and FAQs for affected individuals; stand up a call line for questions.
• Coordinate regulator submissions and any required media notice; document all actions and timelines.
• Implement corrective actions and verify their effectiveness.

Conclusion

Most HIPAA breaches trace to preventable failures: weak Access Control Policies, missing Encryption Standards, process mistakes, or unmanaged vendors. By recognizing common scenarios and acting quickly—assessing risk, containing exposure, and following the Breach Notification Rule—you protect patients, demonstrate HIPAA Compliance, and reduce legal and reputational harm.

FAQs.

What constitutes a breach of PHI under HIPAA?

A breach is an impermissible use or disclosure of PHI that compromises its privacy or security, unless your documented risk assessment shows a low probability of compromise considering the data involved, the recipient, whether it was actually viewed/acquired, and mitigation performed.

What steps should be taken after a PHI breach?

Contain the incident, secure systems, and preserve logs; complete the risk assessment; consult policies and your incident response plan; notify individuals, HHS, and media as required by the Breach Notification Rule; and implement corrective actions such as stronger Access Control Policies, staff training, and Encryption Standards.

How does HIPAA define unauthorized disclosure?

It is the release, transfer, or provision of access to PHI to someone not authorized to receive it—whether by misdirected email, fax, conversation, or system access—outside permitted uses and disclosures or without valid patient authorization.

When must patients be notified of a PHI breach?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovering the breach. Notices must include what happened, what information was involved, recommended protective steps, what you are doing in response, and how to contact you.