The Three Exceptions to a HIPAA Breach


Many people have a “better safe than sorry” mentality when it comes to privacy and HIPAA breaches. Similar to how doctors, nurses, and technicians often consider incidental disclosures to be privacy violations, many privacy officers consider any impermissible disclosure to be a breach. However, there are three exceptions to a breach that all staff members should be aware of.

1.    Unintentional Acquisition, Access, or Use

The first exception to a breach is when an employee unintentionally acquires, accesses, or uses protected health information (PHI) in good faith within the scope of their authority, and they do not further disclose the PHI in a manner not permitted by the rule.

For example, a technician might accidentally open the wrong patient chart while carrying out her authorized duties. Her viewing of PHI was both unintentional and during the course of her duties; therefore, the exception applies. However, if the technician opened the chart to snoop, she is acting deliberately and not in good faith, making the viewing of PHI a breach.

Additionally, if the technician shares the PHI she accidentally saw in an unallowable way, such as gossiping, then this is a breach. The only time when it’s okay to further disclose the information is if it’s used for the patient’s treatment. In this case, the exception applies.

2.    Inadvertent Disclosure to an Authorized Person

The second exception to a breach is when a person authorized to access PHI accidentally shares PHI with another authorized person at the same organization, and PHI is not further disclosed in a manner not permitted by the rule.

For example, a nurse emails the wrong lab results to a doctor, and the doctor tells him that it’s the wrong file and deletes the email. The exception applies here because the disclosure was inadvertent, both the nurse and the doctor are authorized to access PHI, they both work at the same hospital, and the doctor didn’t further share the information.

3.    Inability to Retain PHI

The third exception is when an organization disclosing PHI believes in good faith that the unauthorized person receiving the information wouldn’t have been able to retain it.

For example, a clinic mails explanation of benefits (EOB) letters to the wrong people, and the post office returns some of the letters unopened. Most likely, the addressees didn’t see or retain the information inside these envelopes, so the exception applies. However, the EOBs that weren’t returned should be treated as potential breaches.

The key to this exception is whether or not the unauthorized person is able to retain the information. For example, a pharmacy may hand out the wrong prescription, and the patient returns the prescription before leaving the building. In this case, the pharmacy can make an on-the-spot assessment as to whether the patient was able to retain any of the other patient’s information, such as their name or date of birth.

In Summary

Human errors are common, and not all disclosure errors threaten the privacy of PHI. If every impermissible disclosure was treated as a breach, healthcare would become gridlocked. Therefore, the HIPAA privacy rule allows these three exceptions to a breach.

Next time a potential breach comes to light, don’t jump to conclusions. First, gather all the facts and see whether or not an exception applies. If one does, document the incident and the exception you applied and keep it on record. If none of the exceptions apply, conduct the four-factor breach assessment to determine the risk level.

READ MORE: How to Track HIPAA Security Incidents Like a Pro

Check out our Breach Notification Letter Template!

Our free template makes it easy to create a compliant breach notification letter.

Breach Notification Letter Template

Gain Peace of Mind With the Right HIPAA Compliance Tool

When a potential HIPAA violation comes to your attention, you can use the Breach Risk Assessment Tool in our HIPAA management software to discover whether or not the incident was a breach. The tool will guide you through applying the exceptions to a breach and evaluating your risk level.

If a breach did occur, you can record the details in the Breach Notification Log with the click of a button. If a breach did not occur, you can record the incident in the Security Incident log, along with a description of what you did to mitigate the incident.

To learn more about how HIPAAtrek can help you create a culture of compliance at your organization, request a personalized demo or reach out to us at

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like