The HITECH "Breach" Definition Explained: When an Impermissible Disclosure Requires Notification (45 CFR § 164.402)

Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, a “breach” has a precise and legally significant definition. Not every unauthorized access, use, or disclosure of Protected Health Information (PHI) qualifies, but when it does, covered entities must act swiftly and in full compliance with federal notification requirements. This article examines the breach definition under 45 CFR § 164.402, outlines how to evaluate incidents using the prescribed risk assessment methodology, and offers step-by-step guidance for small practices to ensure they meet notification obligations.

Understanding the Legal Definition of a “Breach” Under 45 CFR § 164.402

Statutory Definition

Under 45 CFR § 164.402 of the HIPAA Breach Notification Rule, a breach is defined as:

“…the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.”

However, this definition is qualified by key terms and risk exceptions.

Key Criteria for a Breach Determination

1. Involves PHI – The information must be protected health information governed under HIPAA.

2. Not Permitted – The use or disclosure must violate the Privacy Rule.

3. Compromises Security or Privacy – There must be a low probability that the PHI has been compromised based on a documented risk assessment.

A breach is presumed unless a covered entity or business associate can demonstrate, through a documented risk assessment, that there is a low probability the PHI was compromised.

Before determining whether notification is necessary, covered entities must evaluate an impermissible use or disclosure using the following four factors, as required by § 164.402(2):

The outcome of this risk assessment must be thoroughly documented. If the result does not support a “low probability of compromise,” then the incident qualifies as a breach and requires notification.

What Is Not a Breach: Three Regulatory Exceptions

What Is Not a Breach: Three Regulatory Exceptions

According to § 164.402(1), certain impermissible disclosures are exempt from the breach notification rule:

1. Unintentional Acquisition Within a Covered Entity

If an employee unintentionally accesses PHI, in good faith, within the scope of authority and does not further disclose it improperly, it is not a breach.

Example: A nurse accidentally opens the wrong patient file but closes it immediately upon realizing the mistake.

2. Inadvertent Disclosure Between Authorized Individuals

PHI shared between two authorized personnel within a covered entity or business associate, even unintentionally, is not a breach if there is no further unauthorized use.

Example: A medical assistant sends test results to the wrong internal provider, who is also covered by HIPAA.

3. Information Not Retained

If an unauthorized person receives PHI but cannot retain it (e.g., it is returned unopened), the incident may not qualify as a breach.

Example: A billing statement mailed to the wrong address is returned unopened.

Notification Requirements Under § 164.404 and § 164.406

If the risk assessment confirms a breach, the covered entity must notify:

• Affected Individuals: Without unreasonable delay, but no later than 60 calendar days after discovery.

• HHS Secretary:

• For fewer than 500 individuals: log by the end of the calendar year

• For 500 or more: report within 60 days of discovery

• Media: If 500 or more residents of a single jurisdiction are affected

All notifications must include specific content:

Compliance Pitfalls

Recommended Action Plan

1. Develop a Breach Response Protocol
   Create a written policy detailing:

• Internal breach reporting

• Timeframes

• Assessment responsibilities

2. Assign a Breach Response Officer
   This may be your HIPAA Privacy Officer or designated staff person trained in incident analysis and reporting.

3. Maintain a Risk Assessment Log
   For each impermissible disclosure, complete the four-factor assessment and retain documentation for six years.

4. Use Secure Communication Channels
   Train staff on avoiding unsecured email, public Wi-Fi, or verbal disclosures in shared spaces.

5. Train Staff Annually
   Include breach identification and response in annual HIPAA training for all employees.

A small orthopedic clinic in the Southwest experienced a misdirected fax incident, where patient records were sent to the wrong pharmacy. The breach was not reported within the required 60-day window. A patient eventually learned of the incident and filed a complaint.

OCR launched an investigation and found the practice lacked a documented risk assessment process and failed to notify the HHS Secretary. The result was a financial settlement and the imposition of a corrective action plan that included staff retraining and policy revisions.

Takeaway: Small size does not exempt a provider from full compliance with breach notification timelines and documentation requirements.

Pitfall 1: Assuming Small Mistakes Aren’t Breaches
A common misconception in small practices is that minor incidents, such as sending a fax to the wrong recipient or discussing a patient in a shared space, aren’t breaches if no harm is apparent. However, HIPAA defines a breach based on probability of compromise, not perceived severity.

How to Avoid It: Always conduct and document the required four-factor risk assessment, even for minor or accidental disclosures. The law presumes a breach unless you can prove low risk with formal documentation.

Pitfall 2: Skipping the Risk Assessment Entirely
Failing to assess an impermissible disclosure using the four required factors under § 164.402 is a direct violation. OCR has issued corrective actions and fines for lack of documentation, even when the incident itself was minor.

How to Avoid It: Create a standardized risk assessment form and train staff to initiate the process immediately after any suspected incident. Keep all completed assessments in a secure log for six years, as required by HIPAA.

Pitfall 3: Delayed Notification to Affected Individuals and HHS
Many practices underestimate the strict 60-day deadline after breach discovery. Delays, even unintentional ones, can lead to enforcement actions and civil monetary penalties.

How to Avoid It: Assign a breach response officer responsible for monitoring timelines. Set automated reminders and internal deadlines to ensure compliance ahead of the 60-day requirement.

Pitfall 4: Incomplete Breach Notification Letters
HIPAA requires specific content in breach notifications. Generic or vague letters that fail to inform patients of what happened, what data was affected, and how to protect themselves can lead to noncompliance.

How to Avoid It: Use a template that includes all required elements: a description of the breach, types of PHI involved, protective actions, mitigation efforts, and contact information. Have legal or compliance staff review letters before sending.

Pitfall 5: Overlooking Media Notification Requirements
When a breach affects 500 or more residents in a single jurisdiction, notification to prominent media is required. Practices often skip this step, either from lack of awareness or concern about negative publicity.

How to Avoid It: Include media notification in your breach response policy. Know your patient population and prepare draft press release language in advance to speed up your response if a large-scale breach occurs.

1. HHS Breach Notification Rule Overview

2. OCR Breach Reporting Portal (Submit or View Reports)

3. HIPAA Journal: What is a HIPAA Data Breach?

Final Thoughts and Next Steps

The definition of a “breach” under 45 CFR § 164.402 is more than a formality, it is a trigger for rigorous documentation, disclosure, and legal obligations. For small practices, having a consistent process for incident evaluation, risk assessment, and timely notification is not only a regulatory mandate but also a vital step in maintaining patient trust.

Next Steps for Your Practice:

• Audit existing incident response procedures for alignment with § 164.402

• Provide all staff with training on breach identification and reporting protocols
  
  

• Use the HHS Breach Portal to familiarize your compliance team with reporting expectations:
  https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

To further strengthen your compliance posture, consider using a HIPAA compliance regulatory tool. These platforms help track and manage requirements, provide ongoing risk assessments, and keep you audit-ready by identifying vulnerabilities before they become liabilities, demonstrating a proactive approach to regulators, payers, and patients alike.