How Should Employees Report an Accidental HIPAA Violation?

If a healthcare employee witnesses an accidental disclosure of PHI on the job, they have to report the incident to their Privacy Officer.

The Privacy Officer will determine what actions need to be taken to mitigate risk and reduce the potential for harm. The incident will need to be investigated, a risk assessment may need to be performed, and a report of the breach may need to be sent to the Department of Health and Human Services’ Office for Civil Rights (OCR).

If a report is sent, the employee should disclose with the PO that a mistake was made and how it happened and which patient’s records were viewed or disclosed. Not reporting a breach promptly can turn a simple error into a major incident, one that could result in disciplinary action and potentially, penalties for the employer.

For more information in accidental breach notification and actions, check out this article from

How Should You Respond to an Accidental HIPAA Violation? – HIPAA Journal