The HIPAA Breach Notification Rule: What to Do When PHI Gets Out

45 CFR § 164.402 defines a breach as the unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy. Three exceptions: (1) unintentional access by a workforce member acting in good faith, (2) inadvertent disclosure between authorized workforce members at the same practice, and (3) disclosure where you have a reasonable basis to believe the recipient could not retain the information.

A presumption applies: any unauthorized acquisition of PHI is presumed to be a breach unless you can demonstrate, through a documented risk assessment, that there is a low probability the PHI was actually compromised.

If you suspect a breach, the Breach Notification Rule requires a written four-factor analysis (45 CFR § 164.402(2)) to determine whether notification is required. The four factors are:

• The nature and extent of the PHI involved (clinical detail, identifiers, financial data)
• The unauthorized person who used the PHI or to whom the disclosure was made
• Whether the PHI was actually acquired or viewed
• The extent to which the risk has been mitigated

If the risk assessment concludes there is a low probability the PHI was compromised, no breach notification is required — but you must document the risk assessment and retain it for six years (45 CFR § 164.530(j)).

If notification is required, the deadlines are:

• Patients: Notify each affected individual without unreasonable delay and no later than 60 days from the discovery of the breach (45 CFR § 164.404). Notification must be in writing, by first-class mail (or email if the patient has agreed to electronic notification), and contain specific content listed in the rule.

• HHS: For breaches of 500 or more individuals, notify HHS within 60 days of discovery (45 CFR § 164.408(b)). For smaller breaches, log them and report annually within 60 days after year-end.

• Media: For breaches of 500 or more individuals affecting residents of a single state or jurisdiction, notify prominent media outlets in that state within 60 days (45 CFR § 164.406).

"Discovery" means the first day the breach is known, or by reasonable diligence should have been known, by any workforce member — not the day the breach was confirmed by your Security Officer.

An effective breach response in the first 24 hours covers:

1. Contain the breach — pull the affected device offline, disable the compromised account, lock the door on the broken file cabinet
2. Document what happened, when it was discovered, who was involved, what PHI may have been exposed
3. Notify your Privacy Officer and Security Officer (in a solo practice, that's you)
4. Begin the four-factor risk assessment
5. Engage IT or legal counsel if the breach involves more than a handful of records or includes sensitive PHI
6. Preserve evidence — don't wipe devices, don't delete logs

The 60-day clock starts ticking from discovery, so the first 24 hours matter.