HIPAA Breach Definition and Four-Factor Risk Assessment (45 CFR 164.402)
Definition of breach and the four-factor low-probability-of-compromise assessment that determines whether a non-permitted use or disclosure triggers notification.
Primary source
45 CFR 164.402 — eCFR →https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.402
Verified May 23, 2026 · This is the authoritative regulator URL. The summary below is a research aid; the linked source controls.
45 CFR 164.402 defines "breach" as the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by the Privacy Rule which compromises the security or privacy of the PHI.
An impermissible use or disclosure is presumed to be a breach. To rebut the presumption, the covered entity must perform and document a risk assessment based on at least four factors:
- The nature and extent of the PHI involved (identifiers, likelihood of re-identification, types of sensitive information).
- The unauthorized person who used the PHI or to whom the disclosure was made.
- Whether the PHI was actually acquired or viewed.
- The extent to which the risk to the PHI has been mitigated.
If the documented assessment demonstrates a low probability of compromise, the impermissible use or disclosure is not a breach and notification is not required.
Three exclusions at 164.402(1)-(3) sit outside this analysis: unintentional good-faith workforce access; inadvertent disclosure between authorized workforce members; and inability of the recipient to retain the PHI (typical fact pattern: a mistakenly-mailed letter that the recipient returns unopened).
The risk assessment must be in writing and retained for six years.
Use this in your workspace
D3rx assembles the documentation linked to this regulation, walks the practical decisions in plain English, and stores the artifacts against the .gov sources cited above. It is an administrative research aid, not a substitute for counsel.
Related regulations
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- RegulationHIPAA Security Incident Procedures (45 CFR 164.308(a)(6))Required standard for identifying and responding to security incidents involving ePHI, with mitigation, documentation, and outcome tracking.
- RegulationHIPAA Individual Breach Notification (45 CFR 164.404)Required content, methods, and 60-day deadline for notifying affected individuals after a breach of unsecured PHI.
- RegulationHIPAA Breach Notification Rule Overview (45 CFR 164.400-414)When unsecured PHI is accessed, used, or disclosed in a manner not permitted, the entity must follow individual, HHS, and (in some cases) media notification requirements within defined timelines.
- ComplianceHHS HIPAA Breach Portal: How to File a Breach NotificationFiling through ocrportal.hhs.gov is the single most-visible compliance act a practice ever performs. Here is the form, the numbers, and the choices that drive the OCR response.
- SRAChange Healthcare Ransomware: What Small Practices Took AwayThe February 2024 Change Healthcare cyberattack, what HHS and UnitedHealth Group disclosed, and the small-practice lessons about clearinghouse concentration risk, contingency planning, and the Security Rule's information system activity review.
- ComplianceHIPAA Breach Notification: The 60-Day Window Step-by-StepFrom discovery you have 60 calendar days to notify individuals, HHS, and possibly media. Here is the procedure that actually protects the practice.
- GlossaryFour-Factor Breach Risk AssessmentThe four-factor analysis at 45 CFR 164.402 used to determine whether an impermissible use or disclosure of PHI is a reportable breach.
- BillingBusiness Associate Agreement Checklist for Small PracticesA working checklist for small practices to identify which vendors need a Business Associate Agreement, what clauses the BAA must contain, and how to track them.
Last reviewed May 23, 2026 · Citation verified May 23, 2026
Research aid, not legal advice. This summary is an administrative research aid prepared by D3rx. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. For authoritative regulatory text follow the primary source link at the top of this page. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.