What is a HIPAA Security Incident?

Posted By Steve Alder on Feb 10, 2025

A HIPAA security incident is an event that threatens the confidentiality, integrity, or availability of electronic Protected Health Information (PHI) regardless of whether the event is successful or not. It is important that all security incidents are tracked and reviewed to identify potential weaknesses in security defenses.

Misunderstandings can sometimes exist with regards to the distinction between the definition of a HIPAA security incident and the definition of a HIPAA breach. Although the two events are quite often linked, not all security incidents result in breaches, and not all breaches are attributable to security incidents.

One of the reasons misunderstandings can exist about the two terms is that their definitions appear in separate subparts of the HIPAA Administrative Simplification Regulations. For example, the HIPAA security incident definition appears in §164.304 of the HIPAA Security Rule:

“Security incident means the attempted (emphasis added) or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

However, The HIPAA breach definition does not appear until §164.402 of the HIPAA Breach Notification Rule. This is because breaches are events that can compromise Protected Health Information (PHI) regardless of the media on which PHI is maintained:

“Breach means the acquisition, access use, or disclosure of protected health information in a manner not permitted under subpart E of this part [the HIPAA Privacy Rule] which compromises the security or privacy of the protected health information.”

Therefore, the attempted infiltration of an information system does not necessarily have to be successful before the event qualifies as a HIPAA security incident. Similarly, an impermissible verbal disclosure of PHI qualifies as a HIPAA breach even though no security incident has occurred.

HIPAA Security Incident Examples

There are three main HIPAA security incident types – those that do not infiltrate an information system because they are denied access by a security technology (i.e., an email filter), those that infiltrate an information system, but are identified before they have an adverse effect (i.e., by anti-virus software), and those that infiltrate an information system and cause an adverse event before they are identified (i.e., a backdoor attack).

Other HIPAA security incident examples that are stopped before they can have an adverse effect include unsuccessful brute force attacks on log-in credentials, pings and scans looking for undefended network ports, and phishing emails that are identified as such by the recipient and forwarded to the security team for investigation. The interception of an encrypted communication also qualifies as a non-reportable HIPAA security incident.

Incidents that result in adverse events are often avoidable. These include misconfigured email filters, unpatched  vulnerabilities, user interactions with phishing emails, and general carelessness. In addition, insider threats – both malicious and accidental – account for approximately 35% of HIPAA data breaches once snooping, the loss or theft of a device, and the misdelivery of emails is taken into account.

Is a HIPAA Security Incident a Notifiable Event?

Whether or not a HIPAA security incident is a notifiable event is a fact specific determination. Covered entities are not required to report security incidents unless they result in a breach of unsecured PHI – in which case it is necessary to notify affected individuals and HHS’ Office for Civil Rights unless there is a low probability unsecured PHI has been compromised. The method for determining probability is explained in this article.

However, under §164.314 of the HIPAA Security Rule, business associates are required to report all security incidents to the covered entity they are providing a service for. This requirement must be included in Business Associate Agreements between covered entities and business associates. Therefore, if a business associate fails to report a HIPAA security incident, they are in violation of HIPAA unless notice of unsuccessful security incidents has been provided in advance.

Additionally, covered entities are required to monitor a business associate’s compliance with the Business Associate Agreement. Therefore, if no advance notice has been provided, and a covered entity receives no reports of a HIPAA security incident, the covered entity should ask why no reports of HIPAA security incidents have been received. The failure to ask is a violation of §164.504 of the HIPAA Privacy Rule for failing to exercise reasonable diligence.

Incident or Breach? Be Sure You Know Which is Which

It is important to know the difference between a HIPAA security incident and a HIPAA breach because these events are clearly defined in the HIPAA Administrative Simplification Regulations. Therefore, there are no mitigating circumstances for covered entities that fail to document security incidents, or for business associates that fail to report security incidents to covered entities if no prior notice has been provided.

While the requirements of the respective HIPAA Rules can create extra administrative work, the documents produced as a result of the extra work can be used to simplify risk analyses and more easily identify threats. Consequently, complying with the documentation and reporting requirements not only avoids unnecessary violations, but can also help improve an organization’s security posture.

Covered entities and business associates who are still unsure about the distinction between a HIPAA security incident and a HIPAA breach are advised to seek independent HIPAA compliance advice.