OCRHIPAA Breach Notification Rule

HIPAA Breach Definition and Four-Factor Risk Assessment (45 CFR 164.402)

Definition of breach and the four-factor low-probability-of-compromise assessment that determines whether a non-permitted use or disclosure triggers notification.

Primary source

45 CFR 164.402 — eCFR

https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.402

Verified May 23, 2026 · This is the authoritative regulator URL. The summary below is a research aid; the linked source controls.

45 CFR 164.402 defines "breach" as the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule which compromises the security or privacy of the PHI.

An impermissible use or disclosure is presumed to be a breach. To rebut the presumption, the covered entity must perform and document a risk assessment based on at least four factors:

  1. The nature and extent of the PHI involved (identifiers, likelihood of re-identification, types of sensitive information).
  2. The unauthorized person who used the PHI or to whom the disclosure was made.
  3. Whether the PHI was actually acquired or viewed.
  4. The extent to which the risk to the PHI has been mitigated.

If the documented assessment demonstrates a low probability of compromise, the impermissible use or disclosure is not a breach and notification is not required.

Three exclusions at 164.402(1)-(3) sit outside this analysis: unintentional good-faith workforce access; inadvertent disclosure between authorized workforce members; and inability of the recipient to retain the PHI (typical fact pattern: a mistakenly-mailed letter that the recipient returns unopened).

The risk assessment must be in writing and retained for six years.

Use this in your workspace

D3rx assembles the documentation linked to this regulation, walks the practical decisions in plain English, and stores the artifacts against the .gov sources cited above. It is an administrative research aid, not a substitute for counsel.

Related regulations

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Last reviewed May 23, 2026 · Citation verified May 23, 2026

Research aid, not legal advice. This summary is an administrative research aid prepared by D3rx. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. For authoritative regulatory text follow the primary source link at the top of this page. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.