A HIPAA breach is an impermissible use or disclosure of unsecured protected health information that violates the HIPAA Privacy Rule and is presumed to be a breach under the HIPAA Breach Notification Rule unless the covered entity or business associate completes a documented risk assessment showing a low probability that the protected health information was compromised.
A breach analysis begins with whether protected health information was involved and whether it was unsecured at the time of the incident. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through a method recognized for securing the information, such as encryption consistent with federal guidance. A breach can involve paper records, verbal disclosures, photographs, screenshots, emails, databases, portable media, cloud storage, or any other medium where protected health information is created, received, maintained, or transmitted.
An impermissible use or disclosure is presumed to be a breach unless a risk assessment considers specific factors and supports a low probability of compromise. The risk assessment evaluates the nature and extent of the protected health information involved, including the identifiers and the likelihood of re-identification, the unauthorized person who used the protected health information or to whom the disclosure was made, whether the protected health information was actually acquired or viewed, and the extent to which the risk to the protected health information has been mitigated. Documentation of the assessment supports compliance and informs whether notification obligations apply.
The HIPAA Breach Notification Rule also includes events that are not treated as breaches when conditions are met. These include an unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, made in good faith and within the scope of authority, and not resulting in further impermissible use or disclosure. They also include an inadvertent disclosure by an authorized person to another authorized person at the same covered entity, business associate, or organized health care arrangement, when the information is not further used or disclosed in an impermissible manner. A third exception applies when a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made could not reasonably have retained the information.
When an incident meets the definition of a breach of unsecured protected health information, notification duties apply. Notices to affected individuals are required without unreasonable delay and no later than 60 days following discovery. Additional reporting duties apply based on the size and circumstances of the breach, including reporting to the U.S. Department of Health and Human Services and, for certain large breaches, notice to prominent media outlets serving the affected area.
Staff Training Related to HIPAA Breaches
HIPAA staff training reduces breach events and supports timely detection and reporting by defining workforce responsibilities for protecting protected health information and responding to suspected impermissible uses or disclosures under the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. Training should be assigned to employees, clinicians, contractors, volunteers, students, and temporary staff whose duties may involve access to protected health information, with onboarding training completed within three months of hire and refresher training completed annually, plus additional training when policies change, new systems are implemented, or an incident occurs. Training content should cover common breach scenarios such as misdirected communications, improper access, lost devices, phishing compromises, and improper disposal, along with required reporting channels, incident escalation steps, and preservation of relevant evidence for investigation. Knowledge checks, completion certificates, and administrative reporting support documentation of training completion and compliance oversight.