We Sent Records to the Wrong Person: Is It a HIPAA Breach?
Executive summary
Sending medical records to the wrong person by email, fax, or mail is usually an impermissible disclosure under the HIPAA Privacy Rule, and it is presumed to be a reportable HIPAA “breach” unless you can fit the event into a specific exclusion or you can document a four-factor risk assessment showing a low probability that the PHI was compromised.
Two points drive most real-world outcomes. First, the breach definition is not “data left the building” or “someone had bad intent.” It is whether PHI was acquired, accessed, used, or disclosed in a way not permitted by the Privacy Rule, and whether the event compromises the security or privacy of the PHI, with a presumption that it is a breach unless you can demonstrate low probability of compromise. Second, HIPAA places the burden of proof on the covered entity or business associate to show either that required notifications were made, or that the incident did not constitute a breach, and you must retain documentation for six years.
Practically, that means your “panic search” question (is this a breach?) turns into an engineering-style exercise: determine what was sent, who received it, whether it was actually viewed, and what mitigation you can prove with evidence (headers, logs, confirmations, tracking, attestations). Then decide whether notification is required, and if it is, execute on tight timelines (generally no later than 60 days from discovery for individual notice, with additional reporting depending on the size and geography of the incident).
Informational note: This report is for informational purposes only and does not constitute legal advice.
Legal framework that governs wrong-recipient disclosures
The controlling legal standard is in 45 CFR § 164.402. A “breach” is, broadly, an impermissible acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the PHI. The regulation then carves out three exclusions, and otherwise creates a presumption: if the disclosure was impermissible, it is presumed to be a breach unless the covered entity or business associate can demonstrate a low probability the PHI was compromised based on a risk assessment that considers at least four required factors.
The notification mechanics you must follow if the event is a breach are spelled out in the HIPAA Breach Notification Rule provisions the user specified:
Individual notice (45 CFR § 164.404) requires notice to affected individuals without unreasonable delay and in no case later than 60 calendar days after the breach is “discovered,” with “discovered” defined to include when the breach is known or should have been known with reasonable diligence, including knowledge of workforce members or agents.
Media notice (45 CFR § 164.406) is required when the breach involves more than 500 residents of a state or jurisdiction, and it also follows the § 164.404 discovery concept.
Notice to the Secretary (45 CFR § 164.408) depends on whether the breach involves 500 or more individuals (then generally within the same timeframe as individual notice) or fewer than 500 (then via an annual log and submission within 60 days after the end of the calendar year).
Business associate notice (45 CFR § 164.410) requires a business associate to notify the covered entity following discovery of a breach of unsecured PHI, and the HHS breach notification guidance reiterates that the business associate must provide notice without unreasonable delay and no later than 60 days from discovery.
Law enforcement delay (45 CFR § 164.412) allows a temporary delay of required notifications if a law enforcement official states that notice would impede a criminal investigation or damage national security, with different handling for written versus oral statements (including a 30-day limit on oral statements unless a written statement is provided).
A final legal lever that matters a lot in wrong-recipient situations is whether the PHI is “unsecured.” HHS guidance explains that PHI is “secured” (and therefore not “unsecured PHI” subject to breach notification obligations) when it is rendered unusable, unreadable, or indecipherable to unauthorized individuals using specified technologies/methodologies, principally encryption and destruction, subject to conditions. The Federal Register discussion also encourages taking advantage of this safe harbor by encrypting PHI consistent with the guidance.
Breach vs security incident vs HIPAA violation
A HIPAA “breach” is a specific legal outcome under the Breach Notification Rule that, if triggered, carries notification duties (individual, HHS, sometimes media). It is not synonymous with “security incident,” and it is not synonymous with “HIPAA violation,” even though a breach typically involves (or is caused by) at least one violation.
A “security incident” is defined by the Security Rule as an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations in an information system. HIPAA-regulated entities must have security incident procedures: identify and respond to suspected or known incidents, mitigate harmful effects to the extent practicable, and document incidents and outcomes.
A wrong-recipient fax or mail event may involve no “information system operations” at all, so it may not be a Security Rule security incident in the narrow sense, but it is still often an impermissible disclosure under the Privacy Rule. The Privacy Rule’s general architecture is that uses and disclosures must be permitted by the rule (or authorized), and disclosures outside those permissions are impermissible. It also requires covered entities to reasonably safeguard PHI from intentional or unintentional impermissible use or disclosure, and to mitigate harmful effects of a known violation to the extent practicable.
A “HIPAA violation” is the broader category: failure to comply with HIPAA requirements (Privacy, Security, Breach Notification). A wrong-recipient disclosure can be a Privacy Rule violation even if it does not ultimately meet the Breach Notification Rule’s breach definition because an exclusion applies or because a documented risk assessment supports “low probability of compromise.”
The three breach exclusions and how they apply to email, fax, and mail
45 CFR § 164.402 excludes three categories from the breach definition. In operational work, these are your first filter, because if an exclusion clearly applies, the breach analysis ends (though you still mitigate and document).
The first exclusion is unintentional acquisition, access, or use of PHI by a workforce member (or someone acting under the authority of a covered entity or business associate), made in good faith, within the scope of authority, and not resulting in further impermissible use/disclosure. This tends to apply to internal mishandling before a disclosure to an external unauthorized party happens. For example, if a staff member accidentally opens the wrong patient PDF in the EHR, realizes immediately, closes it, and does not further use or disclose it outside permitted operations, this is more naturally evaluated as an internal incident that may fall within this exclusion, depending on facts and whether there was any further impermissible use or disclosure.
The second exclusion is an inadvertent disclosure by an authorized person to another authorized person at the same covered entity or business associate (or within an organized health care arrangement in which the covered entity participates), where the information is not further used or disclosed improperly. This one is commonly relevant to wrong internal recipient emails. If an authorized scheduler emails PHI to the wrong authorized nurse within the same clinic, and the nurse deletes it and does not further disclose it, the event may fit this exclusion. The same fact pattern with an external recipient (a personal Gmail account, a different clinic, an employer) will not fit this exclusion because the recipient is not “authorized to access PHI” at the same entity/OHCA.
The third exclusion is a disclosure of PHI where the covered entity or business associate has a good faith belief that the unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information. This is the exclusion most frequently invoked in misdirected mail scenarios with strong evidence of non-access. The Federal Register’s discussion provides a concrete example: if explanations of benefits are sent to the wrong individuals, but some are returned by the post office unopened as undeliverable, the covered entity can conclude the improper addressees could not reasonably have retained the information. By analogy, if a medical record package is mis-mailed but returned unopened with intact packaging, that is the kind of evidence that supports this exclusion’s logic.
For email and fax, this third exclusion is harder to apply cleanly when the message was delivered to a real inbox or a live fax machine at a real destination, because retention is usually technically possible. Where you have evidence that delivery did not occur (for example, an immediate bounce indicating no viable mailbox) or that the unauthorized recipient never had access to the contents (for example, the data was strongly encrypted such that the recipient could not render it readable), the analysis may move toward this exclusion or, more commonly, toward the “actually acquired or viewed” and mitigation factors in the four-factor risk assessment.
The four-factor risk assessment and what evidence actually moves the needle
If none of the three exclusions clearly applies, HIPAA presumes the impermissible disclosure is a breach unless you can demonstrate a low probability the PHI was compromised based on a risk assessment considering at least four factors: (1) nature and extent of PHI; (2) the unauthorized person; (3) whether PHI was actually acquired or viewed; and (4) mitigation. The Federal Register emphasizes that the analysis must address each factor and evaluate them in combination, that risk assessments should be thorough and in good faith, and that if the assessment fails to demonstrate low probability, notification is required.
Factor one, nature and extent, is where clinics often under-estimate risk. PHI is not limited to diagnoses and treatment details. The Federal Register explicitly notes PHI created/maintained by a business associate may be demographic or other data not diagnosis-specific, but if tied to a covered entity it can still be PHI because it indicates the individual received health care services or benefits. This matters in “billing-only” or “appointment-only” mis-mailings, and it is central to OCR’s enforcement narrative in the case of Sentara Hospitals, where mailed billing statements were treated as PHI even without diagnoses.
Factor two, the unauthorized person, is usually the biggest swing variable. The Federal Register indicates that if the PHI is disclosed to another entity bound by similar privacy/security obligations (for example, another HIPAA-regulated entity), there may be a lower probability of compromise. It also warns that certain recipients have special contextual power to re-identify or misuse information, and it provides an example involving disclosure to an employer where re-identification may be feasible based on other information. This is why disclosures to employers, the media, family members, or unknown members of the public are generally treated as higher risk than disclosures to another provider that immediately calls you and destroys the fax.
Factor three, whether PHI was actually acquired or viewed, is where operational evidence matters. The Federal Register contrasts “opportunity existed but no access” with “recipient opened and read.” It gives a mail example: if information is mailed to the wrong individual and the person opened the envelope and recognized it was mis-sent, then the recipient viewed and acquired it. In practice, this pushes you to collect evidence that suggests non-access, such as returned unopened mail, or system logs showing an email was not delivered or not opened, recognizing that “not opened” is sometimes hard to prove definitively with email.
Factor four, mitigation, requires you to look at what you did after discovery. The Federal Register explicitly calls out obtaining satisfactory assurances that information will not be further used or disclosed or will be destroyed, potentially via a confidentiality agreement or similar mechanism, and weighing whether you can rely on the recipient’s assurances depending on who the recipient is. The Privacy Rule separately requires mitigation of harmful effects to the extent practicable for known violations.
Table A: Evidence and mitigation strength by channel
ChannelWhat “wrong recipient” usually meansEvidence that best supports factor three (acquired/viewed)Evidence that best supports factor four (mitigation)Typical mitigation strength (context-dependent)EmailMessage delivered to unintended inbox, or mis-attachment to correct recipientSMTP logs/service logs showing delivery vs bounce; secure messaging portal access logs; message recall success (if the system can prove non-delivery); recipient confirmation of deletion does not prove non-viewing by itself Written attestation from recipient: no further use/disclosure, deletion of all copies, no forwarding; if recipient is another HIPAA-regulated entity, their obligations can reduce risk Moderate when recipient is a regulated entity and you can validate deletion; weaker when recipient is unknown publicFaxDialed wrong number or wrong programmed contact; records printed at unintended machineFax server logs showing number dialed and transmission status; direct call verification to the number that received it; confirmation that pages printed is still not proof of viewing Recipient returns/destroys documents and provides written confirmation; confidentiality assurance; stronger when recipient is another provider with HIPAA obligations Often moderate if recipient quickly destroys and is trustworthy; weak if recipient is an employer or unknown officeMailPrinted/sent to wrong address; pages inserted in wrong envelope; label merge errorUSPS/ courier tracking; returned unopened envelope; photos of intact packaging; internal fulfillment logs showing what was sent and to whom; returned unopened items map to the “could not retain” rationale in HHS discussion Retrieval (return to sender); written statement from unintended recipient that they did not open and returned/destroyed; redesign controls to prevent recurrence supports broader mitigation posture Stronger when returned unopened or rapidly retrieved; weaker when delivered and opened, or recipient unknown
The table reflects how OCR frames these issues: HIPAA is less impressed by your intentions and more impressed by your evidence. If you cannot support “low probability of compromise” with a reasonable, documented assessment, you should assume notification duties attach.
Immediate response playbook, documentation templates, and notification workflow
This section is intentionally operational. HIPAA compliance in a misdirected-disclosure scenario is mostly incident response discipline plus documentation hygiene, because you carry the burden of proof.
The timing anchor is “discovery.” Under § 164.404, a breach is treated as discovered when it is known to the covered entity, or would have been known with reasonable diligence, and the entity is deemed to have knowledge if workforce members or agents (other than the person committing the breach) know or should have known. That definition is what starts the 60-day outside limit for individual notice if the incident is a breach.
A disciplined response typically has five tracks running in parallel: containment, retrieval/mitigation, evidence preservation, risk assessment, and notification decisioning. For ePHI, Security Rule incident procedures require identifying and responding, mitigating harmful effects to the extent practicable, and documenting incidents and outcomes, which aligns well with the same steps you should take for Privacy Rule misdisclosures.
Containment means you stop further disclosures: halt the mail job, disable automated sending rules that caused a mail merge issue, revoke portal links, or suspend an integration that is auto-faxing. Evidence preservation means you freeze relevant logs and artifacts before they roll over: email headers, message IDs, fax server transmission logs, EHR audit logs, print queues, and mailing vendor manifests. HIPAA does not prescribe your specific log format here, but it does require that you maintain documentation sufficient to meet your burden under § 164.414(b), and to retain required documentation for six years.
Retrieval and mitigation is where you try to reduce compromise probability in defensible ways. The Privacy Rule requires mitigation of harmful effects to the extent practicable for known violations. The Federal Register discussion for the breach rule also specifically suggests obtaining satisfactory assurances that the information will not be further used or disclosed or will be destroyed, potentially through a confidentiality agreement or similar means, and weighing whether such assurances are reliable depending on the recipient. If you need a practical heuristic, “mitigation that you can prove” is the only kind that reliably reduces your reporting risk.
Documentation template with exact fields to record
Because “we looked at it and decided” is not evidence, a clinic should treat every misdirected disclosure as a ticketed incident with required fields. This maps to the legal burden of proof and retention requirements.
A workable documentation template should contain, at minimum, these fields:
Incident identifiers: incident ID; date/time discovered; date/time occurred (if known); discovered by whom; reporting channel (staff report, patient complaint, vendor notice).
Transmission channel: email, fax, mail; system/application used; sender identity/role; whether an external vendor was involved.
PHI description: patient count; patient identifiers involved; PHI types (demographics, account numbers, diagnoses, lab results, medication lists, imaging, HIV or reproductive health data, etc.).
Unauthorized recipient profile: confirmed identity (name/entity) or unknown; whether recipient is another HIPAA-regulated entity; whether recipient has known confidentiality obligations; relationship risk (employer, family member, media, unknown public).
Evidence collected: email headers/message IDs; SMTP delivery/bounce logs; portal access logs; fax dialed number and transmission logs; call notes to recipient; tracking numbers and delivery status; photos/scans of returned unopened mail; EHR audit logs; print logs.
Mitigation actions: retrieval attempt details; deletion request; written attestation obtained; confidentiality agreement; technical containment; workforce coaching/sanctions if applicable.
Risk assessment worksheet: factor-by-factor analysis (the four required factors), plus overall conclusion of low probability vs more than low probability; sign-off (privacy officer + counsel/compliance).
Notification decision: whether breach notification required; if yes, which notices (individual, HHS, media); deadlines computed from discovery; method of notice; copy of notices sent.
Retention and closeout: records retention location; retention clock; corrective actions implemented to prevent recurrence; closure date.
This is intentionally “audit-ready.” OCR’s enforcement materials emphasize that investigations are evidence-driven and often resolved through corrective action, voluntary compliance, or resolution agreements, with civil money penalties when resolution fails.
Short decision flow clinicians can follow
A clinician-friendly flow should be short enough to execute under stress, but structured enough to trigger the right escalation.
If PHI was sent to a non-patient or the wrong patient, assume it is an impermissible disclosure and report immediately to the privacy officer (or whoever fills that role in the clinic). Treat it as discovered when the clinic knows, because that starts legal clocks.
Next, ask two questions in order. Does a breach exclusion clearly apply (for example, returned unopened mail that supports the “could not retain” rationale, or an internal authorized-to-authorized disclosure within the same entity with no further disclosure)? If yes, document the exclusion and mitigation, then close with corrective action. If no, perform and document the four-factor risk assessment, gathering the best available evidence about what was sent, who received it, whether it was viewed, and how well you mitigated. If the assessment cannot reasonably support low probability of compromise, proceed with breach notification steps.
Table B: Notification triggers and deadlines
Notice typeTriggerDeadline and timing ruleAuthorityIndividual noticeBreach of unsecured PHI affecting an individualWithout unreasonable delay and no later than 60 calendar days after discovery; discovery includes when known or should have been known with reasonable diligence 45 CFR § 164.404 Media noticeBreach of unsecured PHI involving more than 500 residents of a state or jurisdictionFollowing discovery as provided in § 164.404(a)(2); generally aligned with the 60-day outer limit for individual notice, absent law enforcement delay 45 CFR § 164.406 Notice to HHS Secretary, 500+Breach involving 500 or more individualsContemporaneously with individual notice and in the manner specified by HHS; HHS guidance also frames this as no later than 60 days from discovery 45 CFR § 164.408(b) Notice to HHS Secretary, <500Breach involving fewer than 500 individualsMaintain a log/documentation and submit within 60 days after the end of the calendar year; HHS notes you can report earlier but must report by the annual deadline 45 CFR § 164.408(c) Business associate notice to covered entityBreach of unsecured PHI at or by a business associateNotify covered entity following discovery; HHS guidance states without unreasonable delay and no later than 60 days from discovery 45 CFR § 164.410 Law enforcement delayLaw enforcement states notification would impede investigation or harm national securityDelay for period specified in writing, or if oral statement, document it and delay no longer than 30 days unless a written statement is received 45 CFR § 164.412
Two practical notes matter for clinics. First, HIPAA’s breach notification obligations attach to “unsecured” PHI. If what was sent was rendered unusable/unreadable/indecipherable per HHS guidance (for example, properly encrypted), breach notification may not be required even if the disclosure was impermissible, though you still document and address the underlying violation. Second, substitute notice rules apply if you lack sufficient contact information for some patients, and they have specific thresholds and methods.
Enforcement risk, OCR patterns, and prevention controls
HIPAA enforcement risk is not random. OCR publicly explains that it enforces through complaint investigations, compliance reviews, and other triggers, and that most investigations resolve through voluntary compliance, corrective action, and resolution agreements, with civil money penalties used when resolution is not achieved. Covered entities and business associates are required to cooperate with investigations and compliance reviews.
Misdirected disclosures show up in OCR enforcement when they expose systemic weaknesses (repeat events, lack of safeguards, inadequate training, or failure to notify). Three enforcement artifacts are especially instructive for “wrong person received records” scenarios:
Sentara Hospitals: OCR’s factual background in the resolution agreement states that billing statements for 577 patients were merged with thousands of guarantor mailing labels, resulting in disclosure of PHI, and OCR also identified failure to properly notify the Secretary and lack of a required business associate agreement for services involving PHI. This is the archetype of a mail merge misdelivery that the organization initially minimized. It is also a reminder that “billing-only” data can still be PHI.
L.A. Care Health Plan: The resolution agreement narrative describes a mailing error where member ID cards were mailed to the wrong members, affecting approximately 1,498 individuals, and OCR’s investigation cited impermissible disclosure and multiple Security Rule program gaps. This is a concrete example of OCR treating mis-mailing as a serious compliance matter when paired with broader control failures.
Solara Medical Supplies, LLC: OCR’s resolution agreement page and terms describe, among other conduct, disclosure of demographic information of 1,531 individuals due to mis-mailing notification letters, and failures in timely notifications under §§ 164.404, 164.406, and 164.408 following a breach discovery. This reinforces that OCR will treat “secondary” mis-mailings (even of notification letters) as impermissible disclosures and will scrutinize timeliness.
For fax-specific misdirection, OCR has also pursued enforcement where sensitive information was faxed to an employer rather than a requested address and where incidents were repeated without adequate remediation. The HHS enforcement page for the matter identifies the settlement, and an accessible copy of the resolution agreement/corrective action plan describes the compliance obligations. If your clinic’s wrong-recipient fax involves an employer, you should treat it as high risk under the “unauthorized person” factor because the Federal Register explicitly flags employer context as potentially enabling re-identification and misuse.
Prevention controls map cleanly into three categories: technical, administrative, and vendor governance. Privacy Rule safeguards require reasonable administrative, technical, and physical safeguards to protect privacy and to reasonably safeguard PHI from unintentional impermissible disclosures, which is the regulatory basis for implementing controls that prevent misdirection in the first place.
On the technical side, clinics typically reduce wrong-recipient risk by controlling addressing and identity at the point of send: secure patient portals instead of attachments, DLP rules that block outbound messages with PHI to non-approved domains, auto-complete suppression, and role-based address books for fax destinations. These are not “HIPAA required” as specific tools, but they are directly aligned with the safeguard requirement and with the breach risk assessment factors because they reduce the chance of an impermissible disclosure and improve your evidence if one occurs.
On the administrative side, two controls tend to outperform training-only programs: a two-person verification step for record releases (especially for high-sensitivity records) and forced workflow checkpoints that use patient identity validation plus destination validation (for example, “read back” of last four digits of fax number and recipient name before send). These create predictable artifacts that help you demonstrate diligence and mitigation if something breaks.
Vendor and BAA controls are the final pillar, and they are non-optional when the vendor is a business associate. HHS explains that a business associate is an entity performing functions or services on behalf of a covered entity that involve use or disclosure of PHI. Covered entities generally must obtain satisfactory assurances via a written contract that meets the business associate contract requirements. HHS also provides sample business associate agreement provisions to support compliance.
Two subtle but important vendor points matter for email and fax providers. First, “mere conduits” that transport PHI, such as the United States Postal Service and certain private couriers and their electronic equivalents, do not require business associate contracts when they only transport information and do not access it other than random/infrequent access as necessary for transport. Second, many modern “fax” and “email” services are not mere conduits because they store, route, process, or maintain PHI. For cloud scenarios, HHS explicitly states that a cloud service provider that maintains encrypted ePHI is still a business associate even without the decryption key, and is generally not a conduit. As a practical compliance rule, if your vendor can retain, store, or manage PHI beyond transient transmission, assume business associate status and require a BAA.
Sources
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.402
https://www.law.cornell.edu/cfr/text/45/164.404
https://www.law.cornell.edu/cfr/text/45/164.406
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408
https://www.law.cornell.edu/cfr/text/45/164.410
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.412
https://www.law.cornell.edu/cfr/text/45/164.414
https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html
https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html
https://www.federalregister.gov/documents/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules-under-the
https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/ransomware-fact-sheet/index.html
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.304
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
https://www.law.cornell.edu/cfr/text/45/164.530
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
https://www.hhs.gov/hipaa/for-professionals/faq/245/are-entities-business-associates/index.html
https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html
https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/how-ocr-enforces-the-hipaa-privacy-and-security-rules/index.html
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/index.html
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-C/section-160.310
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sentara/index.html
https://www.hhs.gov/sites/default/files/signed-ra-sentara-508.pdf
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/la-care-health-plan/index.html
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/solara-ra-cap/index.html
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/stlukes/index.html
https://www.hivlawandpolicy.org/sites/default/files/st-lukes-signed-ra-cap.pdf