← Course Home
Module 4 of 5
HIPAA Privacy Basics

Breaches & Enforcement

What constitutes a reportable breach, the 60-day notification clock, civil and criminal penalty tiers, and high-profile cases that reshaped compliance programs.

45 CFR §§ 164.400–164.414 | 45 CFR Part 160 Subpart D

Module Overview

What You'll Learn

Lessons 13–14

  • Breach definition: 45 CFR § 164.402
  • Unsecured PHI and the encryption safe harbor
  • Three breach exceptions
  • 4-factor risk assessment

Lessons 15–16

  • 60-day notification requirement
  • Three required notification types
  • Wall of Shame and public reporting
  • Civil and criminal penalty structure
Legal Definition

What Is a Breach?

45 CFR § 164.402 — Definition

"An impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information."

Unsecured PHI

PHI that has not been rendered unusable, unreadable, or indecipherable through NIST-approved encryption or secure destruction. Breaches of unsecured PHI trigger notification obligations.

Presumption of Breach

An impermissible use or disclosure is presumed to be a breach unless the covered entity or BA demonstrates that there is a low probability PHI has been compromised — using the 4-factor risk assessment.

45 CFR § 164.402 | 45 CFR § 164.400 (applicability)

Breach Exceptions

Three Situations That Are Not Breaches

Unintentional Access by Workforce

A workforce member inadvertently accesses PHI in good faith and within the scope of authority, and does not further use or disclose the PHI impermissibly.

Example: Nurse accidentally opens wrong patient chart and immediately closes it.

Inadvertent Disclosure Between Authorized Persons

An authorized workforce member inadvertently discloses PHI to another authorized person at the same organization, and the PHI is not further used or disclosed impermissibly.

Good Faith Belief That Recipient Cannot Retain

The covered entity has a good faith belief that the unauthorized person who received the PHI could not have reasonably retained it — such as a misdirected fax that is immediately returned/destroyed.

45 CFR § 164.402(1)(i)–(iii)

Risk Assessment

The 4-Factor Breach Risk Assessment

To rebut the presumption of breach, analyze all four factors:

Factor 1: Nature & Extent of PHI

What types of PHI were involved (clinical, financial, sensitive)? Could the information cause financial, reputational, or physical harm? Was a Social Security number or financial account involved?

Factor 2: Who Used or Received the PHI

Was the recipient another covered entity or BA? A member of the public? A criminal actor? Would they be obligated to protect the PHI or likely to misuse it?

Factor 3: Whether PHI Was Actually Acquired

Was the PHI actually viewed, or was there only opportunity for access? Was a laptop merely lost, or was data confirmed to have been exfiltrated?

Factor 4: Extent of Mitigation

Has the covered entity taken steps to mitigate harm? Was the information returned or destroyed? Were systems secured after discovery? Are individuals at risk of harm?

45 CFR § 164.402(2) | 78 Fed. Reg. 5641 (HHS preamble guidance)

Notification Requirements

The 60-Day Notification Clock

60

calendar days from discovery of the breach to complete all notifications

Discovery = Day 0

A breach is "discovered" on the first day a covered entity or BA knows, or by exercising reasonable diligence should have known, of the breach.

BA must notify CE without unreasonable delay and within 60 days — CE's clock then runs.

Penalties for Late Notification

Failure to notify within 60 days is itself a HIPAA violation, separate from the underlying breach. Each day of delay can be treated as a separate violation.

45 CFR § 164.404(b) (discovery) | 45 CFR § 164.410(b) (BA notification to CE)

Who Must Be Notified

Three Required Notifications

Individual Notification

Written notice to each affected individual. By first-class mail (or email if authorized). Substitute notice (website/media) if contact info is out of date for 10+ individuals.

Must include: nature of breach, types of PHI involved, mitigation steps, what CE is doing, contact info.

Media Notification

Required when a breach affects 500+ residents of a state or jurisdiction. Notice to prominent media outlets in that state. Must occur within 60 days of discovery.

Same content requirements as individual notification.

HHS Notification

  • 500+ individuals: notify HHS simultaneously within 60 days
  • Fewer than 500: log in annual log, submit to HHS within 60 days after end of calendar year
  • HHS posts 500+ breaches publicly (Wall of Shame)

45 CFR §§ 164.404–164.408

Public Accountability

The HHS "Wall of Shame"

What It Is

HHS OCR is required by statute to post breaches affecting 500+ individuals on its public website. The listing includes the covered entity name, state, number of individuals affected, type of breach, and location of breached information.

Available at: hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting

Why It Matters

  • Public reputational damage — immediately searchable
  • Attracts plaintiffs' attorneys and class actions
  • Triggers state AG investigations
  • Signals to OCR for follow-up investigation
  • Informs competitors, partners, and patients
  • As of 2024: 5,000+ breaches listed dating to 2009

HITECH Act § 13402(e)(4) | hhs.gov/hipaa breach portal

Civil Monetary Penalties

4-Tier Civil Penalty Structure

Per violation, per year in which violation occurred (as adjusted by inflation)

Tier 1 — Did Not Know

CE did not know and, by reasonable diligence, would not have known of the violation

$100–$50K
Cap: $25K/year
Tier 2 — Reasonable Cause

Reasonable cause to know but not willful neglect — the CE reasonably should have known

$1K–$50K
Cap: $100K/year
Tier 3 — Willful Neglect, Corrected

Willful neglect but violation corrected within 30 days of discovery

$10K–$50K
Cap: $250K/year
Tier 4 — Willful Neglect, Not Corrected

Willful neglect not corrected within 30 days — OCR required to impose penalty

$50K+
Cap: $1.9M/year

45 CFR § 160.404 | HITECH Act § 13410(d) | HHS Penalty Calculation (2023 inflation adjustment)

Criminal Enforcement

Criminal Penalties — 3 Tiers

42 U.S.C. § 1320d-6 — Wrongful Disclosure of Individually Identifiable Health Information

Tier 1
Knowing violation — knowingly uses or obtains PHI without authorization

Up to $50,000 fine + 1 year imprisonment

Tier 2
False pretenses — violation committed under false pretenses (e.g., pretending to be a patient)

Up to $100,000 fine + 5 years imprisonment

Tier 3
For profit, malicious harm, or personal gain — violation committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm

Up to $250,000 fine + 10 years imprisonment

Criminal cases are referred to the Department of Justice. Prosecutions of individuals (employees, nurses, billing staff) are increasing.

42 U.S.C. § 1320d-6

Landmark Settlements

High-Profile HIPAA Enforcement Cases

$16M

Anthem Inc. — 2018

Largest HIPAA settlement at the time. Cyberattack exposed 78.8 million records. Failures: lack of risk analysis, no access controls, undetected malicious activity for months.

$6.85M

Premera Blue Cross — 2019

Cyberattack exposed 10.4 million records. OCR found failure to implement basic security safeguards and long-standing unaddressed vulnerabilities in IT systems.

$5.55M

Advocate Health Care — 2016

Three separate breaches — unencrypted laptops stolen from offices and a car. 4 million records exposed. First multi-state HIPAA settlement requiring state AG cooperation.

HHS OCR Resolution Agreements — hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements

Module 4 Complete

What You've Covered

Lesson 13 Breach Definition & Exceptions Lesson 14 The 4-Factor Risk Assessment Lesson 15 Breach Notification Requirements Lesson 16 Penalties & Enforcement Cases