What Are Reportable HIPAA Breaches? What Are the Exemptions?


Following the HIPAA breach notification requirements is a must for all HIPAA covered entities. This entails developing a breach response plan should a breach of protected health information occur. For covered entities that have yet to experience a heath data breach or just have began serving healthcare clients, they may not have a good working knowledge of the requirements. Nevertheless, failure to comply attracts financial penalty just the same.

According to the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), breaches involving electronic or physical copies of protected health information must be reported by covered entities and their business associates. A breach refers to the unauthorized acquisition, access, use or disclosure of protected health information. Reportable HIPAA breaches include ransomware attacks, improper disclosures, exposure of PHI, and unauthorized PHI access by employees and third parties. But there are PHI breaches that are exempted from the HIPAA Breach Notification Rule. These include:

  • Breaches of secured PHI such as encrypted data without access to the key to unlock
  • Unintentional (made in good faith) acquisition, access or use of PHI by an authorized person not resulting in further disclosure or use.
  • Inadvertent disclosure of PHI by an authorized person to another equally authorized person within the organization
  • When a covered entity or business associate disclosed PHI and has good faith that it was not retained by the person disclosed to.

In case that a reportable HIPAA breach occurred, the HIPAA Breach Notification Rule requires (1) notification by letter to all persons whose PHI have been accessed, disclosed, viewed or used; (2) notification of the Department of Health and Human Services Office; (3) notification of the media; (4) posting a substitute breach notice on the breach entity’s website; and (5) notification of the state attorney general.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/