Breach of Unsecured PHI
An impermissible use or disclosure of PHI that is presumed to be a breach unless a four-factor risk assessment shows a low probability that PHI was compromised.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- HIPAA & Privacy
- Primary sources
- 2
- Workspace handoff
- compliance binder →
Where this comes up
Privacy officers and practice managers handle this — patient rights requests, accounting of disclosures, BAA reviews with new vendors, breach risk assessments after an incident, and OCR responses when a complaint lands. The 60-day breach-notification clock starts at discovery, not at investigation close.
Full definition
What it is in practice
45 CFR 164.402 defines breach and exempts good-faith unintentional access, inadvertent intra-organization disclosures, and disclosures to people who could not reasonably retain the PHI. PHI is "unsecured" if it is not rendered unusable through encryption that meets the HHS guidance or destruction per NIST SP 800-88.
How it shows up in your practice
Lost laptops, misdirected faxes, mis-sent emails, and ransomware events are the most common incidents that hit the four-factor analysis. Document the analysis in writing — OCR routinely asks for it.
Sources
- 45 CFR 164.402 — Breach definitionshttps://www.ecfr.gov/current/title-45/section-164.402
- HHS — Breach Notification Rulehttps://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
Run the four-factor risk analysis in the Compliance Binder
Open compliance binder →Related terms
- HIPAA & PrivacyHIPAA Breach Notification RuleThe federal rule at 45 CFR Part 164 Subpart D requiring covered entities and business associates to notify affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.
- HIPAA & PrivacyFour-Factor Breach Risk AssessmentThe four-factor analysis at 45 CFR 164.402 used to determine whether an impermissible use or disclosure of PHI is a reportable breach.
- SecurityEncryption at RestCryptographic protection of stored ePHI such that the data is unreadable without the decryption key.
- SecurityEncryption in TransitCryptographic protection of ePHI moving between systems or networks, typically via TLS.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryFour-Factor Breach Risk AssessmentThe four-factor analysis at 45 CFR 164.402 used to determine whether an impermissible use or disclosure of PHI is a reportable breach.
- GlossaryHIPAA Breach Notification RuleThe federal rule at 45 CFR Part 164 Subpart D requiring covered entities and business associates to notify affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.
- GlossaryEncryption at RestCryptographic protection of stored ePHI such that the data is unreadable without the decryption key.
- GlossaryEncryption in TransitCryptographic protection of ePHI moving between systems or networks, typically via TLS.
- RegulationHIPAA Breach Notification Rule Overview (45 CFR 164.400-414)When unsecured PHI is accessed, used, or disclosed in a manner not permitted, the entity must follow individual, HHS, and (in some cases) media notification requirements within defined timelines.
- ComplianceBreach Risk Assessment: The 4-Factor Analysis Required by 45 CFR 164.402After a possible PHI incident, the four-factor breach risk assessment at 45 CFR 164.402 determines whether you notify. Do it in writing, do it on the record.
- SRAThe HIPAA Breach Notification Rule, ExplainedThe four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).
- BillingBusiness Associate Agreement Checklist for Small PracticesA working checklist for small practices to identify which vendors need a Business Associate Agreement, what clauses the BAA must contain, and how to track them.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.