Skip to main content
All playbooks
Playbook

A staff member viewed a chart they had no business viewing

Curiosity is the most common motive, and curiosity is still a HIPAA violation. There is no attacker, the staff member meant no harm, and the patient may never find out unless you tell them — which is exactly the problem.

Last reviewed: May 2026

The first hour

  1. 1Export the per-record access log for the affected chart for the last 12 months. Do not screenshot — export the underlying data (CSV with timestamps, ideally with a vendor-provided integrity hash) so chain of custody holds up.
  2. 2Confirm the user ID maps to a single named person, not a shared account. A shared account in 2026 is an OCR finding in its own right.
  3. 3Pull the staff member's full access pattern across all records for the last 30 days. One unauthorized view is a problem; a pattern is a different problem with a heavier sanction and higher reportability risk.
  4. 4Loop in the privacy officer and the staff member's direct supervisor. No one else, yet.
  5. 5Do not confront the staff member without the audit log in hand. The conversation that starts with 'we have 14 views over six weeks' produces real evidence.
  6. 6Suspend the staff member's access to the affected record (or all records, depending on scope) while the investigation runs.

Evidence to preserve

What not to delete, what to screenshot, what to log. Do this before recovery starts — most of it disappears as soon as systems are rebuilt.

  • Vendor-exported access log for the affected chart, with timestamps and integrity hash if available.
  • 30-day access pattern export for the staff member across all records.
  • Written, verbatim record of the sanction conversation, including the staff member's explanation.
  • Written four-factor breach risk assessment with the conclusion and the reasoning.
  • Copy of the practice's sanction policy, with the applied sanction documented against it.

The HIPAA breach clock

The breach-notification clock starts at discovery. Federal HHS deadline is 60 days; many states are faster.
HHS / patient (federal)
September 5, 2026
60 days from discovery
CA / FL / others
August 6, 2026
30-day state floor
NY / others
August 21, 2026
45-day state floor

Breaches affecting 500+ patients in a single state are reported to HHS and media immediately, not within 60 days. Confirm state-specific timelines with counsel.

Regulator contacts

Frequently asked

Is curiosity-driven snooping really a breach?+

Often, yes. The HHS definition of breach is access or use of PHI not permitted under the Privacy Rule, unless the four-factor risk assessment concludes a low probability that PHI was compromised. Document the four-factor analysis. If you cannot defensibly conclude 'low probability,' notify the patient within 60 days.

Do we have to fire the staff member?+

Not automatically. Low-volume curiosity often results in a written warning and re-training; repeated snooping, snooping with a personal or commercial motive, or snooping with disclosure to a third party usually results in termination. The decision is yours; the documented sanction is what protects the practice from an OCR enforcement-record finding.

Should we have break-the-glass alerts?+

Yes. Modern EHRs can alert when a staff member opens a flagged record (VIP, coworker, family, outside their care team's panel). Many small practices have the feature and have never turned it on. Detection by tipoff is luck, not strategy.

Need to walk through this with someone?

Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.

This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.