When an Unintentional HIPAA Violation Isn’t a Breach: Policy Guide

Definition of HIPAA Breach

A HIPAA breach is the acquisition, access, use, or disclosure of Protected Health Information (PHI) in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. In practice, you treat any impermissible use or impermissible disclosure as a presumed breach unless you can demonstrate a low probability that the PHI has been compromised.

HIPAA distinguishes between secured and unsecured PHI. If PHI is rendered unusable, unreadable, or indecipherable to unauthorized persons (for example, through strong encryption), the Breach Notification Rule generally does not apply. When PHI is unsecured, you must perform and document a formal risk assessment before concluding that an incident is not a breach.

Key terms to anchor your policy

• Protected Health Information (PHI): Individually identifiable health information in any form or medium maintained or transmitted by a covered entity or business associate.
• Impermissible Disclosure: A use or disclosure not allowed by the Privacy Rule or by your authorizations, BAAs, or policies.
• Covered Entity/Business Associate: Entities regulated by HIPAA; both must evaluate incidents and cooperate on breach determinations.
• Presumption of Breach: The starting assumption that an incident is a breach unless your documented analysis shows low probability of compromise.

Exceptions to HIPAA Breach

HIPAA recognizes narrow exceptions where an unintentional violation is not a breach. These exceptions hinge on good faith, Workforce Member Authority, and the absence of further impermissible disclosure.

Good Faith Exception

An unintentional acquisition, access, or use of PHI by a workforce member or person acting under a covered entity’s or business associate’s authority is not a breach when it is made in good faith, within the scope of Workforce Member Authority, and the information is not further used or disclosed in violation of the Privacy Rule. Example: a nurse opens the wrong chart, realizes the error immediately, closes it, reports the incident, and does not copy, discuss, or further disclose the PHI.

Inadvertent internal disclosure

An inadvertent disclosure by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same organization (or organized health care arrangement) is not a breach, provided there is no further violation. Example: a lab result is emailed to the wrong clinician within the same practice, both of whom are authorized to access that patient’s data, and the message is promptly deleted.

Recipient could not reasonably retain the information

A disclosure where you have a good faith belief the unauthorized recipient could not reasonably have retained the PHI is not a breach. Example: a sealed discharge summary is handed to the wrong patient in a waiting room, retrieved immediately unopened, and verified with the patient; or PHI is displayed briefly on a screen and turned away before it can be copied or photographed.

Important limits on exceptions

• The exceptions fail if the PHI is re-disclosed, copied, photographed, or otherwise retained by an unauthorized person.
• Good faith depends on prompt recognition, reporting, and containment; delays undermine the exception.
• Authorization to access PHI must align with job duties; access outside the scope of Workforce Member Authority defeats the exceptions.

Risk Assessment for Breach Determination

When an incident does not clearly meet an exception, you must conduct a documented, fact-specific analysis to determine the probability that PHI has been compromised. This analysis, often organized with a Risk Assessment Matrix, must be methodical, evidence-based, and reproducible.

The four required factors

1. Nature and extent of PHI involved: Identify the data elements (e.g., diagnoses, SSNs, financial details) and the likelihood of re-identification.
2. The unauthorized person who used the PHI or to whom the disclosure was made: Consider whether the recipient is subject to privacy obligations or professional ethics.
3. Whether the PHI was actually acquired or viewed: Determine through logs, attestations, or forensics if anyone accessed, downloaded, or read the PHI.
4. The extent to which the risk has been mitigated: Assess mitigation such as verified deletion, successful recall, or binding attestations limiting further use.

Using a Risk Assessment Matrix

Score the likelihood and severity for each factor (for example, 1–5) and map the combined score to a qualitative outcome: low, moderate, or high probability of compromise. Your matrix should define thresholds for “low probability” determinations and require written rationale, evidence, and approvals.

• Low probability: Minimal identifiers, trusted recipient subject to privacy duties, no evidence of viewing, and strong mitigation documented.
• High probability: Sensitive identifiers (e.g., SSN), unknown or risky recipient, confirmed viewing or acquisition, and weak or no mitigation.

Evidence to collect and retain

• System and access logs, device encryption status, and email headers.
• Recipient attestations and proof of deletion/return.
• Timelines showing discovery, containment, and notifications.
• Approvals of the analysis and final determination.

Breach Notification Requirements

If you cannot demonstrate a low probability that unsecured PHI was compromised, the Breach Notification Rule requires notification without unreasonable delay and no later than 60 calendar days from discovery. Business associates must notify the covered entity so the covered entity can fulfill notifications; BA notices should include the identities of affected individuals and known details to support timely outreach.

Who must be notified

• Individuals: Notify each affected person by first-class mail (or email if they agreed to electronic notice).
• HHS: For incidents affecting 500 or more individuals in a state or jurisdiction, notify the Department of Health and Human Services contemporaneously and no later than 60 days from discovery. For fewer than 500, log the breach and submit to HHS no later than 60 days after the end of the calendar year.
• Media: If 500 or more residents of a state or jurisdiction are affected, provide notice to prominent media outlets serving that area.

Content and method of individual notice

• Brief description of what happened, including the date of the breach and discovery.
• Types of PHI involved (e.g., names, diagnoses, account numbers).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent future incidents.
• How to contact you for more information (toll-free number, email, or postal address).

When contact information is insufficient for fewer than 10 individuals, you may use alternative notice such as telephone. If 10 or more individuals lack valid contact information, provide substitute notice via a conspicuous website posting or media notice for at least 90 days, along with a toll-free number.

Permissible delay for law enforcement

If a law enforcement official states that notice would impede a criminal investigation or threaten national security, you must delay notification for the time specified in the written statement, or for up to 30 days on an oral request while awaiting written confirmation.

Documentation and Corrective Actions

Regardless of breach determination, handle every incident through disciplined documentation and a Corrective Action Plan to reduce recurrence and prove compliance.

What to document for every incident

• Incident description, dates of occurrence and discovery, and who discovered it.
• Systems, locations, and data elements involved; whether PHI was secured or unsecured.
• Risk assessment details, including your Risk Assessment Matrix scores, evidence, and the final determination with rationale.
• Mitigation steps taken and, if applicable, notifications sent and timelines met.
• Decisions on exceptions (e.g., Good Faith Exception) and the basis for applying them.
• Retention of all materials for at least six years, as required by HIPAA recordkeeping rules.

Building an effective Corrective Action Plan

• Immediate containment: Secure devices, recall messages, reset access, and brief leaders.
• Training and coaching: Deliver targeted refreshers to involved staff and role-based education across teams.
• Policy and workflow fixes: Update minimum necessary procedures, unique ID use, verification steps, and error-prevention checklists.
• Technical safeguards: Strengthen encryption, DLP rules, auto-complete protections, access alerts, and audit logging.
• Business associate oversight: Reassess BAAs, require timely incident reporting, and verify vendor controls.
• Sanctions and accountability: Apply consistent sanctions and document outcomes.
• Monitoring and metrics: Trend incidents, track time-to-detection and time-to-containment, and review in compliance committees.

Conclusion

Not every unintentional HIPAA violation is a breach. By applying the defined exceptions, conducting a rigorous four-factor analysis with a Risk Assessment Matrix, following the Breach Notification Rule when required, and executing a thoughtful Corrective Action Plan, you can protect patients, reduce organizational risk, and demonstrate compliance.

FAQs.

What qualifies as an unintentional but acceptable HIPAA violation?

Incidents that meet a HIPAA exception are not breaches. Typical examples include a workforce member’s good faith, within-scope access error that is promptly corrected with no further disclosure (Good Faith Exception), an inadvertent internal disclosure between two authorized workforce members, or a disclosure where the recipient could not reasonably retain the PHI. Each scenario depends on Workforce Member Authority, immediate containment, and no subsequent impermissible disclosure.

How is the risk assessment for a HIPAA breach conducted?

You analyze four factors: the nature and extent of PHI involved, who used or received it, whether it was actually acquired or viewed, and the extent of mitigation. Many organizations operationalize this with a Risk Assessment Matrix that scores likelihood and severity, ties scores to “low” or “high” probability of compromise thresholds, and requires documented evidence and approvals for the final determination.

When is breach notification required under HIPAA?

Notification is required when unsecured PHI is involved and you cannot show a low probability of compromise after the four-factor assessment. Under the Breach Notification Rule, notify affected individuals without unreasonable delay and no later than 60 days from discovery. For incidents affecting 500 or more individuals in a state or jurisdiction, also notify HHS and the media; for fewer than 500, report to HHS no later than 60 days after the end of the calendar year.

How should incidents without breach classification be documented?

Document them as privacy incidents with the full narrative, evidence, Risk Assessment Matrix analysis, and the specific exception or rationale for “no breach.” Include mitigation steps, leadership approvals, and any elements of your Corrective Action Plan. Retain all records for at least six years and trend them for training, process, and control improvements.