When Is a Privacy Incident Reportable? What ABA Leaders Need to Know

Privacy breaches are an ongoing compliance risk for ABA providers, and knowing when a breach is reportable is critical for protecting your organization, your clients, and you. Many ABA business and clinical leaders are surprised to learn that not every privacy incident has to be reported (but plenty of them do) often under both federal and state law. With the deadline coming up at the end of February to report smaller HIPAA breaches that occurred in 2025 to HHS, now’s a good time to revisit how reportability decisions actually work. To help, we’ve created a free HIPAA Breach Reportability Decision Tool for ABA Providers that walks you through a four-factor risk assessment you should complete when a privacy incident happens, and highlights key reporting deadlines. We’ll also break this down using real-world ABA scenarios and share how ongoing compliance support can help you handle breaches with more confidence and less guesswork.

First Things First: What Counts as a HIPAA Breach?

Under HIPAA, a breach generally means an impermissible use or disclosure of protected health information (PHI) that compromises its privacy or security.

In day-to-day ABA operations, that can look like:

• Session notes or treatment plans sent to the wrong parent, school, or payer

• A lost or stolen laptop or phone that isn’t encrypted

• Staff accessing client records without a job-related reason

• Cyber incidents involving your EHR, billing system, or email

That said, not every privacy incident automatically becomes a reportable breach.

The Big Question: Does This Have to Be Reported?

A privacy incident becomes reportable unless your organization can show there’s a low probability that the PHI was compromised.

HIPAA requires ABA providers to complete a four-factor risk assessment any time PHI is used or disclosed in a way that isn’t permitted. This assessment needs to be documented, and regulators expect to see real analysis, not just a checked box.

The Four-Factor Risk Assessment ABA Leaders Need to Understand

When PHI is involved, HIPAA starts from the assumption that the incident is a reportable breach unless you can clearly show otherwise. The four-factor risk assessment is how you make, and defend, that decision.

Factor 1: The nature and extent of the PHI involved

This factor looks at how sensitive the information is and how easily it could be used to identify or harm a client.

Risk tends to be higher when PHI includes:

• Diagnoses, treatment plans, behavior plans, or session notes

• Insurance information or member IDs

• Dates of birth, addresses, phone numbers, or email addresses

• Any combination of details that makes a client easy to identify

ABA examples

• Lower risk: An appointment reminder sent to the wrong parent that only included a first name and appointment time.

• Higher risk: A misdirected attachment with a full treatment plan, diagnosis, goals, and insurance information.

What matters here isn’t just that PHI was involved, but what kind of PHI.

Factor 2: Who received the PHI

This factor focuses on who got the information and whether they have any obligation to protect it.

Risk is usually lower when the recipient is:

• Another HIPAA-covered entity or business associate

• An internal staff member who received the information by mistake and didn’t use or share it

Risk increases when the recipient is:

• A member of the general public

• Someone with no confidentiality obligations

• An unknown or unverified third party

ABA examples

• Lower risk: A session note is faxed to a pediatric clinic, which confirms it wasn’t saved and was securely destroyed.

• Higher risk: A billing spreadsheet is emailed to an external Gmail address, and you can’t confirm who owns it.

Factor 3: Whether the PHI was actually accessed or viewed

This factor looks at what actually happened, not just what could’ve happened.

Helpful questions include:

• Was the email opened or the attachment downloaded?

• Was a portal link clicked?

• Was the device encrypted or remotely wiped?

• Do system logs show access?

ABA examples

• Lower risk: A file is sent to the wrong internal employee, who reports it right away, doesn’t open it, and deletes it.

• Higher risk: An unencrypted laptop with session notes is stolen and never recovered.

If you don’t know for sure whether PHI was accessed, that uncertainty needs to be documented.

Factor 4: How much the risk was mitigated

Mitigation is about what you did after the incident to reduce the chance of harm.

Strong mitigation steps might include:

• Quickly retrieving or securely deleting the information

• Resetting passwords or disabling accounts

• Remotely wiping a device

• Revoking access or correcting permissions

• Providing targeted staff retraining

ABA examples

• Lower risk: A progress report sent to the wrong parent is deleted within minutes, confirmed in writing, and the contact error is fixed.

• Higher risk: A phishing attack compromises an email account for days before it’s detected, and full access can’t be reconstructed.

Fast, well-documented action can significantly affect how risk is evaluated.

How These Factors Determine “Reportable”

After weighing all four factors together, your organization has to land in one of two places:

• There’s a low probability the PHI was compromised, so the incident isn’t reportable under HIPAA, or

• There’s not a low probability of compromise, which means breach notification requirements apply

A good internal gut check is this: if a regulator asked you to explain your decision, could your documentation clearly support it?

A Common Misunderstanding in ABA Agencies

A lot of ABA leaders assume small breaches don’t need to be reported. That’s not true. Even a breach affecting one client can be reportable. The size of the breach affects how and when you report, not whether reporting is required.

Federal Reporting Deadlines Under HIPAA

Once a breach is reportable, HIPAA requires notification to:

• Affected individuals

• HHS’s Office for Civil Rights

• The media, in limited situations

Breaches affecting fewer than 500 individuals

• Notify affected individuals within 60 days of discovery

• Report to HHS within 60 days after the end of the calendar year

  • For breaches that occurred in 2025, that deadline falls at the end of February 2026

Breaches affecting 500 or more individuals

• Notify individuals, HHS, and the media within 60 days of discovery

A breach is considered discovered when it’s known or reasonably should’ve been known, not when the investigation wraps up.

Where State Privacy Laws Fit In

HIPAA isn’t the only law you need to think about. Most states have their own data breach notification laws, and those laws can:

• Require faster notification than HIPAA

• Require notice to state agencies like the Attorney General

• Apply to personal information beyond PHI

One incident can easily trigger both HIPAA and state reporting obligations.

When that happens, you’re generally expected to follow the rule that provides greater protection to the individual, which often means meeting the shorter deadline and notifying more parties.

Why This Is So Hard, and How Ongoing Support Helps

Breach response decisions are stressful for a reason. They’re time-sensitive, high-stakes, and often made without a lot of internal expertise or peer support. That’s why tools alone usually aren’t enough.

Inside our ABA Compliance Collective community members have access not only to resources like a First 72 Hours Privacy Breach Response Checklist, but also to practical guidance, examples, and community discussion around real compliance challenges like breach reporting.