How to Handle a PHI Leak

You must notify patients and the U.S. Department of Health and Human Services (HHS) of "unsecured" protected health information (PHI) leaks or breaches.

HHS defines unsecured protected health information as PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified in HHS guidance  for example, encryption, or destruction.

If your practice is a covered entities under HIPAA, you must report all impermissible uses and disclosures of PHI to the affected patient(s) and the HHS secretary unless  you can demonstrate a "low probability that PHI was compromised."

The HIPAA omnibus rule requires you to evaluate the following four factors in your risk analysis:

  • The nature and extent of the PHI involved in the breach, including the types of identifiers and the likelihood of reidentification;
  • The identity of the person who impermissibly used the PHI or to whom the impermissible disclosure was made;
  • Whether the PHI was actually acquired or viewed; and
  • The extent to which the risk associated with the impermissible use or disclosure of the PHI has been mitigated.

If you determine your patients' PHI was compromised by a breach, you must:

  • Notify each person affected as soon as possible within 60 days of discovery of (or within 60 days of when you should have discovered) the breach; and
  • Send the following information by first-class mail, or by email if that is the patient's preference:
    • A brief description of the breach,
    • Type of PHI involved,
    • Steps the person should take to protect himself or herself,
    • Steps you are taking to mitigate harm and protect against future breaches, and
    • How the person can obtain more information about the breach.

You also must notify HHS once annually about any breaches in your practice. Report by visiting the HHS web site and filling out and electronically submitting a breach report form.

If the breach affects 500 or more people, notify HHS immediately and notify relevant prominent media outlets as well. HHS will post the notification on its website. Additional requirements also apply. 

 See the HHS Breach Notification Rule page for details and a link to the reporting form.


NOTICE: The Texas Medical Association provides this information with the express understanding that 1) no attorney-client relationship exists, 2) neither TMA nor its attorneys are engaged in providing legal advice and 3) that the information is of a general character. This is not a substitute for the advice of an attorney. While every effort is made to ensure that content is complete, accurate and timely, TMA cannot guarantee the accuracy and totality of the information contained in this publication and assumes no legal responsibility for loss or damages resulting from the use of this content. You should not rely on this information when dealing with personal legal matters; rather legal advice from retained legal counsel should be sought. This information is provided as a commentary on legal issues and is not intended to provide advice on any specific legal matter.


TMA Practice E-tips main page

Last Updated On

March 18, 2022

Originally Published On

March 23, 2010