What is a HIPAA Breach?

Summary

• A HIPAA breach is any unauthorized access, use, or disclosure of protected health information (PHI).
• Breaches can result from cyberattacks, employee mistakes, or improper sharing of data.
• Covered entities and business associates must report certain breaches within 60 days.
• Fines can reach millions—especially for unreported or repeated violations.
• Common causes include tracking technologies, email errors, and client-side script exposures.

What Counts as a HIPAA Breach?

Under the Health Insurance Portability and Accountability Act (HIPAA), a breach is defined as the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information.

This includes:

• Access by unauthorized personnel (internal or external)
• PHI exposure via unsecured systems or URLs
• Improper sharing with vendors without a BAA
• Loss or theft of unencrypted devices
• Cyberattacks like ransomware or phishing
• Online tracking tools that leak PHI to third parties

If there’s a reasonable chance the PHI could be misused, it’s presumed to be a breach unless the organization can prove otherwise.

What Is Considered PHI in a Breach?

Protected Health Information (PHI) includes any health-related data tied to an individual. This includes:

• Names
• Email addresses or IP addresses linked to care
• Dates of birth
• Medical conditions
• Appointment data
• Health insurance information

In digital environments, even cookie IDs or device fingerprints can be PHI if linked to a specific patient or care context.

What Are the HIPAA Breach Notification Requirements?

HIPAA’s Breach Notification Rule requires covered entities and business associates to:

• Notify affected individuals within 60 calendar days of discovery
• Report breaches to HHS via the OCR Breach Portal
• Notify the media if the breach affects 500+ individuals in a single state or jurisdiction
• If the breach affects fewer than 500 individuals, it must still be reported annually to HHS by the end of the following calendar year.

Failing to report a breach in time can result in civil penalties—even if no harm occurred.

What Is the Risk Assessment Requirement?

Not every security incident is a HIPAA breach. HIPAA allows for a four-factor risk assessment to determine if an incident rises to the level of a reportable breach:

1. What type of PHI was involved? (e.g., diagnoses, SSNs, financial data)
2. Who accessed or received the PHI?
3. Was the PHI actually viewed or acquired?
4. To what extent was the risk mitigated? (e.g., encryption, retrieval, deletion)

If the risk is low based on these factors, the incident may not require breach notification. But documentation is essential to justify that decision.

FAQ

Is accidental email exposure considered a HIPAA breach?

Yes, if an email with PHI is sent to the wrong recipient, it’s a breach unless the sender can verify the recipient didn’t access or retain the data.

Can tracking pixels cause a HIPAA breach?

Yes. If a tracking tool (e.g., Meta Pixel or Google Analytics) collects PHI—like appointment booking behavior or user IDs—and sends it to a third party, that counts as unauthorized disclosure.

What happens if we fail to report a breach?

Penalties vary by severity and negligence level, but fines can reach up to $1.9 million per violation type per year. HHS considers failure to report a serious compliance failure.

Conclusion

A HIPAA breach isn’t just a security incident—it’s a compliance and legal event that triggers specific notification obligations. Healthcare organizations and business associates must:

• Understand what qualifies as PHI and how it’s exposed
• Monitor systems—including websites and client-side scripts—for unauthorized disclosures
• Report qualifying breaches promptly and document mitigation efforts
• Limit PHI exposure through proactive controls, encryption, and script governance

As more PHI flows through web apps and online tools, client-side security is now a frontline HIPAA compliance priority.