Breach

Understanding HIPAA Breaches

Under HIPAA, a breach is defined as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner that violates the Privacy Rule and compromises the security or privacy of the information. HIPAA presumes that any impermissible use or disclosure of PHI constitutes a breach unless the covered entity or business associate can demonstrate through a risk assessment that there is a low probability the PHI has been compromised. This "presumption of breach" places the burden of proof on the organization to show that a particular incident does not qualify as a reportable breach.

Exceptions to the Breach Definition

HIPAA recognizes three specific exceptions where an impermissible use or disclosure does not constitute a breach. First, unintentional access by a workforce member acting in good faith within the scope of their authority, as long as the information is not further used or disclosed improperly. Second, inadvertent disclosure between authorized persons at the same covered entity or business associate. Third, situations where the covered entity has a good faith belief that the unauthorized recipient would not reasonably be able to retain the information. These exceptions are narrow, and organizations should carefully document their analysis when invoking them.

Four-Factor Risk Assessment

When a potential breach occurs, organizations must perform a risk assessment considering four factors to determine whether notification is required: (1) the nature and extent of the PHI involved, including identifiers and likelihood of re-identification; (2) the unauthorized person who used or received the PHI; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated. If the assessment shows more than a low probability of compromise, the organization must follow the Breach Notification Rule and report the incident to affected individuals, HHS, and potentially the media.