What To Do When an Employee Discloses PHI: HIPAA Breach Checklist

Definition of HIPAA Breach

A HIPAA breach occurs when there is an impermissible use or disclosure of protected health information (PHI) under the Privacy Rule that compromises the security or privacy of the PHI. In practice, an impermissible disclosure by a workforce member is presumed to be a breach unless you demonstrate a low probability that the PHI has been compromised based on a documented risk assessment.

Covered Entity Responsibilities include establishing policies, monitoring compliance, and responding decisively when incidents arise. Workforce Member Obligations include immediately reporting suspected incidents, cooperating with investigations, and following minimum necessary standards to limit exposure.

Immediate response checklist

• Contain the incident: stop further disclosure, secure systems, and retrieve or delete misdirected information if possible.
• Preserve evidence: save emails, system logs, and screenshots; record who, what, when, where, and how.
• Notify privacy/security leadership without delay; escalate to legal/compliance as required.
• Begin the risk assessment to determine if notification under the Breach Notification Rule is required.

Exceptions to Breach Definition

HIPAA recognizes specific exceptions where an impermissible disclosure is not a breach. These include unintentional access or acquisition by a workforce member acting in good faith within the scope of authority, if no further use or disclosure occurs. Another exception covers inadvertent disclosures between authorized persons within the same covered entity or business associate, provided the information is not further used impermissibly.

A third exception applies when the recipient could not reasonably have retained the information (for example, a sealed letter returned unopened). De-identified data is not PHI; however, if data can be re-identified with reasonable effort, the Risk of Re-identification increases and the exception will not apply.

Practical examples

• Misdirected email to a colleague who is authorized to access the same patient’s record may fall under an exception if promptly contained.
• A fax to a non-authorized external party is not covered by an exception and must be assessed for breach.

Risk Assessment for PHI Exposure

To determine whether there is a low probability of compromise, evaluate the required four factors and document your analysis. Apply consistent criteria to reach a defensible conclusion for each incident involving Unsecured Protected Health Information.

The four-factor assessment

• Nature and extent of PHI involved: identify data elements (diagnoses, SSN, financials) and the Risk of Re-identification (e.g., small datasets, rare conditions).
• Unauthorized person: consider the recipient’s role and obligations (covered entity, business associate, or layperson) and their likelihood to misuse the data.
• Whether PHI was actually acquired or viewed: confirm access logs, read receipts, or the feasibility that the recipient opened or stored the data.
• Extent of mitigation: actions like retrieval, remote wipe, confidentiality assurance, or secure deletion reduce risk; document Breach Mitigation Strategies taken and their effectiveness.

Decision record

• Summarize evidence for each factor and your rationale for the final determination (breach vs. not a breach).
• Record containment steps, dates, and responsible personnel for audit readiness.

Breach Notification Requirements

If the assessment does not support a low probability of compromise, the Breach Notification Rule applies. Notify affected individuals without unreasonable delay and no later than 60 calendar days from discovery. Discovery occurs when the incident is known or reasonably should have been known to the covered entity or business associate through reasonable diligence.

Individual notices must be written in plain language and include: a description of the breach (including dates of breach and discovery), the types of information involved, steps individuals should take to protect themselves, what you are doing to investigate and mitigate harm, and contact methods for questions. Use first-class mail or agreed secure electronic delivery; apply substitute notice when addresses are insufficient.

For incidents affecting 500 or more residents of a state or jurisdiction, notify prominent media outlets and report to HHS contemporaneously. For fewer than 500 individuals, log the breach and submit to HHS no later than 60 days after the end of the calendar year. Business associates must notify the covered entity without unreasonable delay and within 60 days, providing identities of affected individuals and available details.

Additional considerations

• Law enforcement delay: you may postpone notices if an authorized official states that notice would impede an investigation or threaten security; retain the written request or document the oral statement and its duration.
• Coordinate with state laws that may impose shorter timelines or additional content requirements.

Management of Unsecured PHI

Unsecured Protected Health Information is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons. Proper encryption or destruction methods can convert PHI to a “secured” state; if encryption keys are compromised, the data remains unsecured.

Containment and technical response

• Disable compromised accounts, revoke tokens, and rotate credentials; initiate remote wipe on lost devices when feasible.
• Retrieve or request deletion from unintended recipients; obtain written assurances when appropriate.
• Segment affected systems, analyze logs, and preserve forensic artifacts to understand scope and prevent recurrence.

Data handling practices

• Encrypt PHI at rest and in transit with strong, industry-recognized algorithms; manage keys separately and securely.
• Apply data minimization and the minimum necessary standard to limit exposure volume.
• Use secure disposal procedures for paper and electronic media; verify destruction.

Documentation and Compliance Procedures

Maintain comprehensive records of incidents, decisions, and actions to demonstrate compliance. Your files should show the timeline from discovery through containment, assessment, notifications, and closure, including all approvals and sign-offs.

Compliance record essentials

• Incident intake notes, evidence logs, copies of communications, and mitigation artifacts.
• Risk assessment worksheets addressing the four factors and final breach determination.
• Notifications sent to individuals, HHS, and media (when applicable), with dates and content.
• Business associate agreements, vendor attestations, and sanctions applied, retained per HIPAA record-keeping requirements.

Program oversight

• Conduct periodic audits of access logs, disclosures, and incident handling.
• Test breach response procedures through tabletop exercises and update policies accordingly.
• Track corrective actions to closure and verify effectiveness.

Employee Training and Sanctions

Preventing impermissible disclosure starts with role-based training that explains your privacy policies, minimum necessary standards, and practical do’s and don’ts (e.g., email safeguards, double-checking recipients, and secure messaging). Reinforce Workforce Member Obligations to report suspected incidents immediately and cooperate with containment.

Adopt graduated sanctions that are fair, consistent, and proportional to risk and intent. Use coaching and retraining for low-risk errors, and escalate for repeat or reckless behavior. Document each action to support accountability and continuous improvement.

Post-incident learning

• Deliver targeted refresher training addressing the root cause of the incident.
• Update procedures, templates, and technical controls to reduce recurrence.
• Share anonymized lessons learned across teams to strengthen Covered Entity Responsibilities in practice.

Conclusion

When an employee discloses PHI, move quickly: contain, document, assess risk, notify as required, and strengthen controls. A disciplined process grounded in the Breach Notification Rule, clear roles, and practical Breach Mitigation Strategies protects patients, reduces organizational exposure, and builds a culture of compliance.

FAQs.

What constitutes a HIPAA breach by an employee?

A breach occurs when a workforce member’s impermissible disclosure or use of PHI compromises its privacy or security and no exception applies. It is presumed a breach unless your documented four-factor assessment shows a low probability that the PHI was compromised.

When must affected individuals be notified of a PHI breach?

Provide notice without unreasonable delay and no later than 60 calendar days after discovery. The notice must include what happened, what information was involved, steps individuals can take, your mitigation actions, and how they can contact you for help.

What are the exceptions to breach notification?

Exceptions include good-faith, unintentional access by an authorized workforce member; inadvertent disclosure between authorized persons within the same organization or business associate; and situations where the recipient could not reasonably retain the information. De-identified data is outside HIPAA, but if re-identification risk exists, treat cautiously.

How should an organization document and respond to a PHI breach?

Follow a clear playbook: quickly contain the incident, preserve evidence, complete the four-factor risk assessment, decide if notification is required, and execute timely notices. Document every step, including timelines, decisions, mitigation, sanctions, and corrective actions, and retain records to meet HIPAA compliance expectations.