What is the HIPAA Breach Notification Rule?

Modified on Tue, 13 Jun, 2023 at 9:33 AM

The HIPAA Breach Notification Rule (BNR) requires that covered entities (CEs), following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach. The rule also requires business associates (BAs) to notify covered entities following the business associates’ discovery of a breach of unsecured protected health information.

What is a “Breach”?
Subject to three exceptions discussed below, a “breach” is an unauthorized acquisition, access, use, or disclosure of PHI, in a manner not permitted under the Privacy Rule, that compromises the PHI's privacy or security.

What Scenarios are Excluded from the Definition of the Word “Breach”?
By definition, certain incidents do not qualify as breaches. These three incidents include:

  1. There has been an unintentional acquisition, access, or use of PHI by a workforce member or other person acting under a CE's or BA's authority, and the acquisition, access, or use was made in good faith and within the course and scope of the person's employment (or other professional relationship) with the CE or BA; and

the information is not further acquired, accessed, used, or disclosed by anyone.

  1. There has been an inadvertent disclosure of PHI from one person who is authorized to access PHI at a facility operated by a CE or BA, to another person similarly situated at the same facility, and the information received is not further acquired, accessed, used, or disclosed without authorization by anyone).

  2. There has been a disclosure of PHI, and the CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made could not reasonably have retained the information.

What Factors Must be Considered in Determining Whether a Breach Has Occurred?

Save for the above three exceptions (which are not regarded as breaches), an acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised, based on a risk assessment of at least the following four (4) factors:


  1. The nature and extent of PHI involved, including the types of identifiers; and the likelihood of re-identification of the PHI. 


To evaluate this first factor, CEs and BAs should consider the type and sensitivity of the PHI involved in the impermissible use or disclosure. For financial information, PHI could include credit card numbers, social security numbers, and other information that increases the risk of identity theft or financial fraud. With respect to clinical information, the CE or BA should consider both the nature of the services rendered, as well as the amount of detailed clinical information involved (e.g., treatment plan, diagnosis, medication, medical history information, test results). 


  1. The identity of the unauthorized person who used the PHI or to whom the disclosure was made.

    To evaluate this factor, CEs and BAs should consider whether the unauthorized person who received the information has obligations to protect the privacy and security of the information. For example, if protected health information is impermissibly disclosed to another entity obligated to abide by the HIPAA Privacy and Security Rules, there may be a lower probability that the protected health information has been compromised since the recipient of the information is obligated to protect the privacy and security of the information.

  2. Whether the PHI was actually acquired or viewed.

    To evaluate this factor, covered entities and business associates should investigate an impermissible use or disclosure to determine if the protected health information was actually acquired or viewed. For example, if a laptop computer was stolen and later recovered and a forensic analysis shows that the protected health information on the computer was never accessed, viewed, acquired, transferred, or otherwise compromised, the entity could determine that the information was not actually acquired. In contrast, if a covered entity mails information to the wrong individual who opens the envelope and calls the entity to say that she received the information in error, the unauthorized recipient has viewed and acquired the information because she opened and read the information to the extent that she recognized it was mailed to her in error.

  3. The extent to which the risk to the PHI has been mitigated.

    Covered entities and business associates should attempt to mitigate the risks to the protected health information following any impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement, affidavit, or similar measures). Additional mitigation measures can include retraining workforce members on the provisions of the Privacy Rule implicated by the incident. 

If an evaluation of the factors discussed above fails to demonstrate that there is a low probability that the PHI has been compromised, breach notification is required.


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article