Back to all insights

Do I Have to Report a HIPAA Breach? A Small Practice's Guide

The worst time to learn how the HIPAA Breach Notification Rule works is the morning you discover a breach. By then the clock is already running, the decisions are urgent, and the temptation to either over-react or quietly hope it goes away is strongest. Both of those reactions get small practices into trouble.

This guide answers the question every practice owner eventually asks: do I actually have to report a HIPAA breach, and if so, to whom and by when? It walks through what legally counts as a breach, the risk assessment that decides whether you must notify anyone, the deadlines that apply, and the records you need to keep. None of it requires a compliance department — it requires knowing the rules before you need them.

What counts as a HIPAA breach?

Under the HIPAA Breach Notification Rule, a breach is generally an impermissible use or disclosure of unsecured protected health information (PHI) that compromises the security or privacy of that information, as HHS’s Office for Civil Rights explains. Two words in that definition do a lot of work.

The first is unsecured. PHI that has been rendered unusable, unreadable, or indecipherable to unauthorized people — in practice, properly encrypted to current standards — is not “unsecured.” This is why encryption at rest and in transit is more than a security control: a lost laptop full of strongly encrypted records is a very different event from a lost laptop full of plaintext ones. Encryption can take an incident out of breach-notification territory entirely.

The second is impermissible use or disclosure. Not every security event is a breach. A piece of malware that never touched PHI, or a phishing email an employee reported without clicking, may be a serious security incident worth investigating without being a reportable breach. The rule is specifically about PHI being used or disclosed in a way HIPAA does not permit.

There are also defined exceptions that are not treated as breaches — for example, certain unintentional, good-faith access by a workforce member acting within their role, or an inadvertent disclosure between two people both authorized to access PHI at the same organization, provided the information is not further used or disclosed improperly. These exceptions are narrow and fact-specific; document why one applies if you rely on it.

A breach is not “something bad happened to a computer.” It is unsecured PHI used or disclosed in a way HIPAA does not allow. Knowing the difference is what keeps you from both under-reporting and panic-reporting.

Is it reportable? The four-factor risk assessment

Here is the part many small practices miss: once you have an impermissible use or disclosure of unsecured PHI, it is presumed to be a breach that requires notification — unless you can demonstrate, through a documented risk assessment, that there is a low probability that the PHI has been compromised.

That assessment is built around four factors:

  1. The nature and extent of the PHI involved. What kind of data, and how identifying or sensitive is it? A list of appointment times is a different risk profile than a spreadsheet of names paired with diagnoses and Social Security numbers.
  2. Who the unauthorized person was. Did the PHI go to another HIPAA-covered entity bound by the same rules, or to an unknown party? Disclosure to someone already obligated to protect it lowers the risk.
  3. Whether the PHI was actually acquired or viewed. Was there evidence the information was opened and read, or only that it was potentially accessible? A forensics finding that a file was never opened matters here.
  4. The extent to which the risk has been mitigated. Did you get satisfactory assurances the data was destroyed or returned, or shut off access before it could be misused?

You weigh all four together. If — and only if — they support a conclusion of low probability of compromise, notification may not be required. Otherwise, you notify. The key discipline is that this is a documented analysis, not a gut call. “We decided it wasn’t a big deal” is not a risk assessment; a written evaluation of the four factors is.

A quick reference: is this a reportable breach?

Use this as a first-pass screen, not a substitute for the documented four-factor analysis:

SituationLikely reportable?Why
Lost/stolen device with strongly encrypted PHIUsually noPHI is “secured”; encryption removes it from the unsecured category
Lost/stolen device with unencrypted PHIUsually yesUnsecured PHI presumed compromised; encryption would have prevented this
Phishing email reported, never clicked, no PHI accessedUsually noNo impermissible use or disclosure of PHI occurred
Vendor (business associate) breach exposing your patients’ PHIUsually yesPresumed breach unless low-probability shown; BA must notify you
Email with PHI sent to the wrong patientCase-by-caseRun the four-factor assessment; document the conclusion
Workforce member’s good-faith, in-scope accidental accessOften exceptedMay fall under a defined exception if not further disclosed

When the screen says “case-by-case” or “yes,” move to the documented assessment and treat notification as the default.

Who do you notify, and by when?

If the assessment lands on “reportable,” HIPAA defines three audiences and a clock for each. The trigger for the clock is discovery — a breach is treated as discovered on the first day it is known, or by reasonable diligence should have been known, to your organization.

  • Affected individuals — without unreasonable delay and no later than 60 calendar days from discovery. Notice is generally by first-class mail (or email if the individual agreed to electronic notice) and must describe, in plain language, what happened, what data was involved, what you are doing about it, and what steps the individual can take to protect themselves.
  • The HHS Secretary (Office for Civil Rights). Timing depends on size. A breach affecting 500 or more individuals must be reported to HHS without unreasonable delay and within 60 days. A breach affecting fewer than 500 is logged and reported to HHS in an annual submission, due within 60 days after the end of the calendar year.
  • The media — for breaches affecting more than 500 residents of a state or jurisdiction — via notice to prominent local media outlets, again without unreasonable delay and within the 60-day window. This is the rule that turns a large breach into a local-news story. (These deadlines and thresholds come straight from HHS’s Breach Notification Rule guidance.)

Notification timeline at a glance

WhoThresholdDeadline from discovery
Affected individualsAny reportable breachWithout unreasonable delay; ≤ 60 days
HHS / OCR500+ individualsWithout unreasonable delay; ≤ 60 days
HHS / OCRFewer than 500Annual log, within 60 days after year-end
Prominent local mediaMore than 500 in a state/jurisdictionWithout unreasonable delay; ≤ 60 days

A critical nuance for small practices: 60 days is an outer limit, not a target. “Without unreasonable delay” means you cannot sit on a known breach for 59 days because the calendar lets you. Investigate promptly and notify as soon as you reasonably can.

When the breach is your vendor’s, not yours

Much of a modern practice’s PHI lives with business associates — your EHR, billing platform, scheduling tool, and the AI-driven services your payers use. When one of them is breached, the Breach Notification Rule still reaches you.

A business associate that discovers a breach must notify the covered entity, generally within 60 days of discovery. From there, the duty to notify affected individuals typically rests with the covered entity — your practice — unless your agreement assigns it otherwise. That is why a business associate agreement that clearly spells out breach roles and timing is not boilerplate; it is the document that tells you who does what when a vendor incident becomes your notification obligation. It is also why disciplined vendor risk management for a small practice pays for itself the day a vendor sends you a breach notice.

The practical risk is the handoff. Your clock to patients generally starts when the breach is known to your practice — or would have been, with reasonable diligence — and a business associate must notify you without unreasonable delay and no later than 60 days from its own discovery, per HHS guidance. In practice that can mean a vendor’s notice reaches you well into its investigation, leaving you less of your own window than you would like. Build your agreements and your intake process so a vendor notice triggers immediate action on your side, not a slow read.

The records that protect you

Whether or not an event turns out to be reportable, documentation is what demonstrates you handled it correctly. Keep, for each incident:

  • A written description of what happened and when it was discovered.
  • The four-factor risk assessment and the conclusion it supported — especially if you concluded notification was not required.
  • Copies of any notifications sent (individuals, HHS, media) and the dates.
  • Evidence of mitigation: access shut off, data returned or destroyed, credentials reset, monitoring increased.
  • Your maintained log of smaller breaches (fewer than 500) for the annual HHS submission.

This recordkeeping is the connective tissue between your day-to-day security and your legal obligations. It is also where a calm, rehearsed incident-response process for the first 24 hours earns its keep — the practice that already knows how to preserve evidence and document decisions is the practice that can prove, later, that it met the rule.

Common small-practice mistakes

  • Treating every security event as a breach (or treating none of them as one). The four-factor assessment exists precisely to separate the two — skip it and you either over-notify needlessly or under-notify illegally.
  • Starting the clock too late. Discovery, not “when we finished investigating,” starts the 60-day count.
  • Assuming the vendor handles patient notification. Unless your BAA says so, the covered entity usually owns notifying individuals.
  • Not documenting the “no breach” decision. A defensible low-probability conclusion that exists only in someone’s memory is, for compliance purposes, no conclusion at all.
  • No plan until it happens. The rule rewards preparation; improvisation under a 60-day deadline is how avoidable mistakes get made.

The Byzantine takeaway

The Breach Notification Rule is not designed to punish honest practices — it is designed to make sure people whose data is exposed find out in time to protect themselves. A small practice meets it not with a compliance department but with a few durable habits: know what counts as a breach, run and document the four-factor risk assessment, understand the 60-day clock and the 500-individual thresholds, and write your business associate agreements so a vendor breach does not quietly eat your timeline.

Where to start: draft a one-page breach-response checklist for your office that names who runs the four-factor assessment, where incidents get documented, and the notification deadlines above — then keep it where your team can find it at 8 a.m. on a bad morning. That single page, prepared in advance as a team effort, is what turns a frightening event into a managed one.