Awareness article

What Counts as a HIPAA Breach

How to distinguish a reportable breach from a security incident, when exceptions apply, and what documentation small clinics should capture immediately.

The safest starting point is to treat a suspected event as an incident, preserve the facts, and then evaluate whether it rises to the level of a reportable breach.

What clinics should capture first

Document what happened, when it was discovered, what information was involved, who had access, what systems were touched, and what containment steps were taken.

Why the answer is rarely immediate

Teams often know there was exposure or disruption before they know whether PHI was unsecured, whether an exception applies, or whether the event created a reportable compromise.

The practical rule

Do not decide too early and do not delay documentation while you wait for perfect information. Good incident handling allows the decision record to improve as the facts improve.

Incident Response

How to determine whether an incident is a reportable breach, document the analysis, and meet notification obligations.

HIPAA Breach Notification Timelines

HIPAA breach notification timelines for small clinics, including individual, HHS, media, and business associate notice.

The Four-Factor Breach Risk Assessment

The four-factor breach risk assessment explained for small clinics, with practical documentation guidance.

Sources

Operational assurance

Move from policy documents to a working compliance program.

PHIGuard turns these workflows into repeatable tasks, audit evidence, and role-based processes for small clinics.

Start 30-day trial

Card required to start. We email you 3 days before the first automatic charge.