In 2023, OCR received over 700 large breach reports from covered entities and business associates — each one triggering federal and state notification obligations, media attention, and significant remediation costs. But not every impermissible use or disclosure of protected health information requires notification. Understanding exactly when a breach notification is not required is one of the most consequential compliance decisions your organization will make, and getting it wrong in either direction carries serious risk.

The Default Rule: Every Impermissible Disclosure Is Presumed a Breach

Under the Breach Notification Rule (45 CFR §§ 164.400–414), an impermissible use or disclosure of PHI is presumed to be a breach unless your organization demonstrates a low probability that the protected health information was compromised. This is a critical starting point. The burden of proof rests on your covered entity or business associate — not on the affected individual and not on OCR.

That presumption can be overcome in two ways: by applying the four-factor risk assessment defined in the rule, or by demonstrating that one of three narrow statutory exceptions applies. Let's break down both pathways.

Three Exceptions Where a Breach Notification Is Not Required

The Omnibus Rule of 2013 codified three specific exceptions to the definition of a breach. If an impermissible use or disclosure falls squarely within one of these exceptions, notification is not required — and you do not even need to perform a risk assessment.

Exception 1: Unintentional Acquisition by a Workforce Member Acting in Good Faith

If a workforce member unintentionally acquires, accesses, or uses PHI while acting within the scope of their authority, and the access was made in good faith, the incident is not considered a breach. A common example: a nurse opens the wrong patient chart in the EHR, realizes the mistake immediately, and closes the record. No further use or disclosure occurs.

The key qualifiers are unintentional, within scope of authority, and good faith. A billing clerk who deliberately searches for a celebrity's records does not qualify — even if the clerk claims it was accidental.

Exception 2: Inadvertent Disclosure Between Authorized Persons

When a person authorized to access PHI at a covered entity or business associate inadvertently discloses it to another person who is also authorized to access PHI at the same organization (or an organized health care arrangement), the incident is excluded from breach notification requirements. For instance, a lab technician accidentally emails a patient's lab results to the wrong physician within the same health system.

This exception requires that both the sender and the recipient are authorized — and that the disclosure happens within the same covered entity, business associate, or organized health care arrangement.

Exception 3: Good Faith Belief That the Recipient Cannot Retain the Information

If your organization has a good faith belief that the unauthorized recipient could not reasonably retain the PHI, notification is not required. A fax sent to the wrong number that reaches a disconnected line, or a misdirected email that bounces back as undeliverable, may fall under this exception.

Document your reasoning carefully. "Good faith belief" must be based on facts, not assumptions. If the fax went through to an active number, you cannot simply hope the recipient discarded it.

The Four-Factor Risk Assessment That Determines Your Obligation

When none of the three exceptions apply, your organization must conduct a documented risk assessment using the four factors specified in 45 CFR § 164.402(2). This is where most compliance teams either protect or expose their organizations.

  • Factor 1: The nature and extent of the PHI involved. What types of identifiers were exposed? Did the disclosure include Social Security numbers, diagnoses, or treatment information? The more sensitive and identifiable the data, the higher the risk.
  • Factor 2: The unauthorized person who received or accessed the PHI. Was it another covered entity bound by HIPAA? A random member of the public? An entity with no obligation to protect health information?
  • Factor 3: Whether the PHI was actually acquired or viewed. If you can demonstrate through forensic evidence or system logs that the data was not opened, downloaded, or viewed, the probability of compromise drops substantially.
  • Factor 4: The extent to which the risk has been mitigated. Did the unauthorized recipient confirm destruction of the data? Did your organization retrieve the misdirected records? Prompt, documented mitigation efforts directly reduce the assessed probability of compromise.

After weighing all four factors, if you can demonstrate a low probability that the PHI was compromised, notification is not required. But you must document your analysis thoroughly. OCR has investigated and penalized organizations that concluded "no breach" without adequate documentation to support the determination.

Common Mistakes That Lead to OCR Enforcement Actions

Healthcare organizations consistently struggle with two aspects of this process. First, they fail to document the risk assessment at all, treating the analysis as an informal hallway conversation instead of a formal compliance determination. Second, they conflate "no harm occurred" with "low probability of compromise." These are not the same standard. OCR does not require proof of actual harm — only that PHI may have been compromised.

In several enforcement actions, OCR has imposed civil money penalties not because the underlying incident was severe, but because the organization failed to conduct or document a proper risk assessment and missed the 60-day notification deadline as a result. Penalties under the HIPAA enforcement tiers can reach $2,067,813 per violation category per year, as adjusted for inflation.

Documentation Practices That Protect Your Organization

Every incident involving an impermissible use or disclosure — no matter how minor it appears — should generate a written record that includes the date of discovery, the facts of the incident, which exception or risk assessment factor applies, and the final determination. This documentation is your primary defense if OCR opens an investigation months or years later.

Your workforce must be trained to recognize and report potential breaches immediately. Delayed reporting compresses your timeline for investigation, risk assessment, and notification. Investing in comprehensive HIPAA training and certification ensures that every member of your team — from front desk staff to IT administrators — knows when to escalate an incident.

When in Doubt, Notify

If your risk assessment is a close call, notification is almost always the safer path. The reputational cost of a reported breach is real, but it pales in comparison to the penalties and corrective action plans that follow an OCR finding that you should have notified but didn't. The 60-day clock under 45 CFR § 164.404 starts on the date the breach is discovered — or the date it would have been discovered through reasonable diligence — not the date your investigation concludes.

Building a culture of compliance starts with understanding both your obligations and your exceptions. Knowing precisely when a breach notification is not required — and being able to prove it — is a hallmark of a mature privacy program. If your organization needs to strengthen its compliance posture, explore HIPAA Certify's workforce compliance program to ensure your team is prepared to handle every incident correctly from day one.