HIPAA Incident Classification Tree

A structured decision tree for classifying security and privacy incidents under HIPAA. Covers the security vs. privacy distinction, PHI involvement, breach vs. impermissible disclosure vs. near-miss, the three breach exceptions, the four-factor risk assessment, and required notification actions with timelines. Designed for front-line staff and Privacy Officers.

Short answer

A decision tree for classifying HIPAA incidents: security or privacy, PHI involved, breach or near-miss, which of the three breach exceptions applies, the four-factor risk assessment, and which notification actions are required — with regulatory citations at each node.

What is inside

Security vs. privacy incident triage: the first decision node distinguishes between a security incident under the Security Rule and a privacy incident under the Privacy Rule — the response procedures differ and both may apply simultaneously
PHI involvement determination: structured questions for determining whether PHI was involved in the incident, including the commonly missed categories (scheduling data with identifiers, paper records, voicemail with patient information)
The three breach exceptions under 45 CFR § 164.402: unintentional workforce acquisition, inadvertent disclosure to authorized workforce, and inability of unauthorized person to retain — explained with practical examples of when each does and does not apply
The four-factor risk assessment: a structured walkthrough of the four factors HHS requires to support a low probability of compromise finding — nature and extent of PHI, unauthorized person's identity, whether PHI was acquired or viewed, and mitigation extent
Notification decision output: based on the tree outcome, clear guidance on which notification actions are required (internal only, individual notification, HHS, media) and on what timeline

We publish the same practical templates and decision tools that clinics use to structure recurring HIPAA work. No enterprise gate. No resource-library gimmicks. Just practical material delivered quickly.

Editorial details

Written by: Angel Campa

Reviewed by: PHIGuard Compliance Research

Updated: April 28, 2026

Best next step: Open the matching product path

Sources

45 CFR § 164.402 — Definitions (Breach) | eCFR
45 CFR § 164.404 — Notification to Individuals | eCFR
Breach Notification Rule Guidance | HHS

Download the PDF

Classify any suspected HIPAA incident in under 5 minutes

Enter your email and we will send the PDF.

Questions

What does the four-factor test actually require, and how do we document it?

The four-factor test at 45 CFR § 164.402(2) is used to determine whether a presumed breach — meaning an impermissible use or disclosure of unsecured PHI — can be demonstrated to have a low probability that PHI has been compromised. The four factors are: (1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether PHI was actually acquired or viewed, or whether there is a strong likelihood it was not; (4) the extent to which the risk to PHI has been mitigated. The analysis must be documented. If all four factors support a low probability of compromise, breach notification is not required — but you must retain the documentation of the analysis.

A staff member reported a near-miss — they almost sent records to the wrong patient. No PHI was actually disclosed. Is there still a compliance action?

Yes, but the action is different from a breach response. A near-miss where PHI was not actually disclosed does not trigger breach notification, but it should be: logged in the incident log, investigated to understand how the near-miss occurred, and reviewed for whether a process change is warranted. The Security Rule's security incident procedures requirement at 45 CFR § 164.308(a)(6) covers near-misses — covered entities must identify and respond to suspected or known security incidents, document incidents and their outcomes, and mitigate harmful effects.

Who should use this decision tree? Only the Privacy Officer, or front-line staff?

The decision tree is designed to be used in two ways. Front-line staff should use the first section — the triage questions — to determine whether an event they have observed warrants a report to the Privacy Officer. The Privacy Officer should use the full tree to conduct the formal classification analysis. The tree is not a substitute for the Privacy Officer's judgment; it is a structured framework that ensures all relevant questions are considered and the analysis is documented.

Is this free?

Yes. Enter your email and we will send the full resource to your inbox.

Why do you need my email?

We send the resource directly to your inbox. We will not add you to a marketing list without your consent.