What Is a HIPAA Breach? 2026 Rules Explained

What is a HIPAA breach? A HIPAA breach is any acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted by the HIPAA Privacy Rule, which compromises the security or privacy of that PHI. Most covered entities, business associates, and healthcare startups assume any unauthorized PHI exposure automatically counts as a HIPAA breach. That assumption is wrong in both directions: some exposures are formally excluded, and some incidents that look minor trigger mandatory notifications within 60 days.

This guide explains exactly how the Office for Civil Rights (OCR) defines a HIPAA breach in 2026, the four-factor risk assessment that determines whether an incident is reportable, the three breach exceptions, and the precise notification timelines and penalties that follow. If you are a covered entity, business associate, or healthcare SaaS startup, this is the decision tree you run the first time you find PHI somewhere it shouldn't be.

HIPAA Breach at a Glance

| Element | Rule | |---------|------| | Legal basis | 45 CFR 164.400 to 164.414 (Breach Notification Rule) | | Definition | Impermissible PHI use/disclosure that compromises security or privacy | | Rebuttal test | 4-factor risk assessment, documented | | Individual notice | Within 60 days of discovery | | HHS notice (500+) | Within 60 days of discovery | | HHS notice (<500) | Annual batch, within 60 days of year end | | Media notice (500+ in state) | Within 60 days of discovery | | Max civil penalty | $68,928 per violation, $2.1M annual cap per tier | | Retention | 6 years (risk assessments, notifications, evidence) |

The HIPAA Breach Definition

The controlling regulation that answers "what is a HIPAA breach" is the HIPAA Breach Notification Rule at 45 CFR 164.400 through 164.414, enacted under the HITECH Act of 2009 and amended in 2013. The Department of Health and Human Services breach notification page restates the legal definition as follows:

"A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information."

Two elements have to be true for an incident to be a breach. First, the use or disclosure must be impermissible under the HIPAA Privacy Rule, meaning not authorized by the patient, not required for treatment, payment, or operations, and not covered by one of the narrowly defined exceptions. Second, the incident must compromise the security or privacy of the PHI.

The second element is where the four-factor test lives. Since 2013, every impermissible use or disclosure of unsecured PHI is presumed to be a breach unless the covered entity or business associate can demonstrate, through a documented risk assessment, that there is a low probability the PHI has been compromised.

The presumption is the key. Silence is not a defense. If you cannot show the risk assessment, OCR treats the incident as a reportable breach.

What Qualifies as PHI

A HIPAA breach can only occur if the information involved is actually PHI. Protected health information is any individually identifiable health information held or transmitted by a covered entity or business associate, in any form (electronic, paper, oral), that includes at least one of the 18 HIPAA identifiers.

The 18 identifiers from 45 CFR 164.514(b)(2) include names, geographic subdivisions smaller than a state, dates directly related to an individual (except year), phone and fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate and license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photos, and any other unique identifying code.

De-identified data under the Safe Harbor method of 45 CFR 164.514 is not PHI, and an incident involving only de-identified data is not a HIPAA breach. The same data point can be PHI in one context and not PHI in another, depending on whether identifiers are attached.

Aggregated statistics, employment records maintained separately by the covered entity as an employer, and certain student records covered by FERPA are also excluded from PHI even when they contain health information.

The Four-Factor Breach Risk Assessment

When you find that PHI has been accessed, used, or disclosed in violation of the Privacy Rule, the presumption is that a breach has occurred. To rebut that presumption, you must conduct and document a risk assessment against four factors specified in 45 CFR 164.402:

Factor 1: The nature and extent of the PHI involved. Consider the types of identifiers and the likelihood of re-identification. A spreadsheet containing names plus diagnoses or Social Security numbers is high-risk. A list of patient IDs with no names, dates, or clinical context is lower-risk. Sensitive categories (mental health, substance abuse, HIV status, genetic data) raise the risk factor significantly.

Factor 2: The unauthorized person who used the PHI or to whom the disclosure was made. Disclosure to another HIPAA-covered entity under its own Privacy Rule obligations is a very different risk from disclosure to a random consumer. Disclosure to a workforce member with separate access authorization is different from a true external actor.

Factor 3: Whether the PHI was actually acquired or viewed. This is where forensic and log evidence matters. If an unencrypted laptop is stolen but you can prove from access logs that the device was never unlocked, the probability of actual viewing is low. If an email is misaddressed and the recipient immediately deletes it without opening the attachment, the probability of acquisition is low.

Factor 4: The extent to which the risk to the PHI has been mitigated. Signed confidentiality attestations from the unauthorized recipient, demonstrable destruction of the data, remote wipes on lost devices, and documented retraction of a misdirected email all reduce the factor. Mitigation must be provable; verbal assurance is not enough.

If the risk assessment demonstrates that the probability of compromise is low across all four factors, the incident is not treated as a reportable breach. The risk assessment, and the supporting evidence, must be retained for six years per 45 CFR 164.530(j).

The Three Breach Exceptions

Three specific fact patterns are excluded from the HIPAA breach definition even when a technical violation of the Privacy Rule occurs. These are listed in 45 CFR 164.402(1).

Exception 1: Unintentional acquisition by a workforce member acting in good faith and within the scope of authority. A nurse at a covered entity who accidentally opens the wrong chart but stops and does not further use or disclose the information has triggered this exception. Documentation still matters.

Exception 2: Inadvertent disclosure between two authorized persons at the same covered entity or organized healthcare arrangement. A coding specialist forwarding a note to a billing specialist who was not on the original distribution list, where both are authorized to access PHI, is inadvertent and excluded.

Exception 3: A good-faith belief that the unauthorized recipient would not reasonably have been able to retain the PHI. A patient briefing handed to the wrong patient, returned immediately without the recipient reading it, is the classic example.

All three exceptions require documented evidence. OCR has repeatedly cited organizations that claimed an exception without retention of the contemporaneous notes, witness statements, or system logs supporting the claim.

What Is Not a Breach

Beyond the three formal exceptions, several categories of incidents are often misclassified as breaches but are not.

Encrypted data incidents. If the PHI at the time of the incident was encrypted per NIST SP 800-111 for data at rest or a FIPS 140-2 validated module for data in transit, and the decryption key was not also compromised, the PHI is considered "secured" under HHS guidance. Loss of a fully encrypted laptop with a separate, strong password is generally not a breach.

Limited data set disclosures. A limited data set (LDS), defined in 45 CFR 164.514(e), has direct identifiers removed and can be disclosed for research, public health, or healthcare operations under a data use agreement. Impermissible use of an LDS can still be a privacy violation but does not automatically trigger the breach notification rule if appropriate safeguards remained in place.

Incidents involving only de-identified data. If the data involved has been de-identified under Safe Harbor or Expert Determination methods, it is not PHI, and the incident is not a HIPAA breach.

Internal incidents without actual acquisition. Misconfigurations, logging errors, or testing exposures where no unauthorized party accessed the PHI are not breaches. These may still require internal incident response and documentation.

HIPAA Breach Notification Timelines

Once an incident is determined to be a reportable breach, three notification streams start, each with its own deadline. Miss any of them and you have a second violation stacked on top of the first.

Individual notification. The covered entity must notify each affected individual within 60 calendar days of discovery, by first-class mail to the most recent known address or by email if the individual has agreed. Notifications must include a description of what happened, the types of PHI involved, steps individuals should take, what the covered entity is doing in response, and contact information for further questions. If contact information for 10 or more individuals is out of date, substitute notification on the covered entity's website or in major print or broadcast media is required.

HHS notification. Notification to the Secretary of HHS (via the OCR breach portal) depends on the breach size. Breaches affecting fewer than 500 individuals can be batched and reported within 60 days after the end of the calendar year. Breaches affecting 500 or more individuals must be reported to HHS concurrently with the individual notification, within 60 days of discovery.

Media notification. For breaches affecting more than 500 residents of a state or jurisdiction, prominent media outlets serving that area must be notified, also within 60 days of discovery.

Business associate obligations. If the breach occurs at a business associate, the BA must notify the covered entity without unreasonable delay and no later than 60 days after discovery. The covered entity then starts its own 60-day clock to notify individuals. The BAA typically compresses the BA's internal deadline to 30 days or less to leave the CE time to act. See our HIPAA Business Associate Agreement guide for the contractual side.

State breach notification laws run in parallel. Several states require notification in fewer than 60 days or include additional content requirements. If your state deadline is shorter, the state deadline controls.

HIPAA Breach Penalties

OCR enforces HIPAA through its Breach Portal (the "Wall of Shame") for breaches affecting 500 or more individuals, and through investigations triggered by notifications, complaints, and periodic audits.

The 2024 tiered civil money penalty structure applies:

• Tier 1 (no knowledge): $137 to $68,928 per violation, annual cap $2.1M
• Tier 2 (reasonable cause): $1,379 to $68,928 per violation, annual cap $2.1M
• Tier 3 (willful neglect, corrected): $13,785 to $68,928 per violation, annual cap $2.1M
• Tier 4 (willful neglect, uncorrected): $68,928 per violation, annual cap $2.1M

Criminal penalties apply in cases of knowing disclosure for personal gain or malicious harm, up to $250,000 in fines and 10 years of imprisonment under 42 USC 1320d-6.

Beyond OCR fines, breached entities face state attorney general actions (state AGs gained HIPAA enforcement authority under HITECH), private class-action litigation under state privacy statutes, breach-notification costs (forensics, call centers, credit monitoring), reputational damage, and elevated cyber-insurance premiums. For a concrete example of the full cost, see our analysis of the Target data breach and PCI DSS failures, which shows how a major breach cascades across legal, financial, and regulatory dimensions.

Patterns in 2024 and 2025 OCR settlements consistently included late notification (past 60 days), missing or out-of-date risk assessments, inadequate business associate agreements, and failure to implement basic access controls. See our HIPAA violation penalties guide for the settlement database.

How to Respond to a Suspected HIPAA Breach

A defensible breach response follows the same sequence whether the incident is a stolen laptop, a ransomware event, or a misdirected fax.

Step 1: Contain (hour 0 to 24). Stop the ongoing exposure. Revoke compromised credentials, isolate affected systems, recover lost devices, retract misdirected communications. Preserve logs; do not rebuild or wipe systems before forensic capture.

Step 2: Preserve evidence (day 1 to 3). Pull access logs, email logs, endpoint telemetry, and any physical evidence. Engage forensic counsel if the incident involves external actors or may be criminal.

Step 3: Conduct the four-factor risk assessment (day 3 to 14). Document each factor, the supporting evidence, and the conclusion. Have two reviewers sign off. If the conclusion is "low probability of compromise," the risk assessment becomes the file you retain for six years.

Step 4: Notify (day 14 to 60). If reportable, issue individual notifications, HHS notification, and (if applicable) media notifications. Do not wait until day 59. OCR settlements repeatedly cite "notification within 60 days" as a shorthand for "you waited until the last possible day instead of acting promptly."

Step 5: Remediate (day 14 to 180). Close the root cause. Tighten access controls, encrypt the device class, update the business associate agreement, retrain the workforce member, improve the monitoring rule. Document the remediation.

Step 6: Update the risk analysis and policies. The incident becomes an input to the next annual HIPAA risk assessment. Policies, procedures, or training that failed in this incident must be revised, approved, and rolled out.

This workflow is the same one auditors expect to see in the incident response binder during an OCR investigation or a SOC 2 audit that includes the HIPAA supplement.

Special Cases

Ransomware. OCR's 2016 ransomware guidance treats a ransomware incident as a breach of unsecured PHI unless the covered entity or business associate can demonstrate that PHI was not acquired or viewed. In practice, this almost always triggers notification, because encryption-by-attacker is treated as evidence of unauthorized acquisition. Modern ransomware attacks also exfiltrate data before encrypting, which eliminates any ambiguity.

Lost or stolen devices. Full-disk encryption with strong pre-boot authentication, documented and enforced via MDM, is the single most reliable way to convert a lost device into a non-reportable incident. Laptops stolen from cars are the most-cited source of breaches in OCR's historical enforcement data.

Insider snooping. A workforce member who accesses a celebrity patient's record out of curiosity has committed a breach and is personally liable for the Tier 2 or Tier 3 penalty. Covered entities must have access monitoring sufficient to detect the activity.

Third-party subcontractor breaches. The business associate that directly suffers the breach notifies the covered entity. The covered entity notifies individuals. Subcontractor BAAs must flow these obligations down.

Cloud and SaaS vendor incidents. A SaaS vendor storing PHI that suffers an infrastructure-layer compromise is a business associate incident. BA must notify CE; CE notifies individuals. See Is Zoom HIPAA compliant? for the BAA provisions that govern this flow for a major vendor.

Frequently Asked Questions

What is the threshold number for a HIPAA breach?

There is no minimum threshold. A breach affecting even one individual is reportable. Breaches affecting 500 or more individuals trigger additional obligations: immediate HHS notification (within 60 days rather than annual batching), media notification, and listing on the OCR Breach Portal.

Is every PHI disclosure a HIPAA breach?

No. A disclosure must be impermissible under the Privacy Rule to be a breach. Treatment, payment, and healthcare operations uses are generally permitted. The three formal exceptions (inadvertent same-organization disclosure, good-faith accidental acquisition, and incidents where the recipient could not reasonably retain the PHI) also exclude certain fact patterns.

Does the 60-day breach notification clock start at discovery or investigation?

It starts at discovery. HIPAA defines discovery as the first day the covered entity or any employee (other than the person who caused the breach) knew or reasonably should have known about the incident. Delays in completing the investigation do not extend the deadline.

Are encrypted laptops exempt from breach notification?

If encryption meets the HHS guidance (NIST SP 800-111 for data at rest, FIPS 140-2 validated for data in transit) and the decryption key was not compromised in the same incident, the PHI is considered secured and the loss is generally not a reportable breach. Partial encryption, weak encryption, or shared passwords with the key storage negate the exemption.

What happens if I miss the 60-day deadline?

Late notification is a separate HIPAA violation on top of the breach itself. OCR has issued six-figure settlements in cases where the breach itself would have drawn a smaller penalty but the delay in notification turned it into a willful-neglect tier violation.

Do I need to notify the media for a small breach?

Only breaches affecting more than 500 residents of a state or jurisdiction trigger the media notification requirement. Smaller breaches require individual notification only, plus HHS notification on the annual batch timeline.

Is a BA the primary notifier, or the covered entity?

The covered entity is always the primary notifier to individuals. The BA notifies the CE without unreasonable delay. Contractually, BAAs usually require the BA to provide full breach details including affected individuals, dates, PHI types, and mitigation actions so the CE can complete its notifications on time.

The Takeaway

Most HIPAA breach debates are decided on documentation rather than facts. The four-factor risk assessment, run and written down immediately after discovery, is the single most valuable asset in the file. Organizations that run it carefully avoid unnecessary notifications. Organizations that skip it because "it was obviously not a breach" find themselves on the Wall of Shame six months later.

Build the breach response playbook before the breach. Train the workforce to recognize and report suspected incidents within 24 hours. Encrypt the data that can be encrypted. Retain the risk assessments for six years. These four decisions determine almost every HIPAA enforcement outcome.

For the broader HIPAA compliance context, start with the HIPAA compliance guide. For the technical controls that prevent most breaches in the first place, see HIPAA security rule safeguards.