A staff member viewed a chart they had no business viewing
Curiosity is the most common motive, and curiosity is still a HIPAA violation. There is no attacker, the staff member meant no harm, and the patient may never find out unless you tell them — which is exactly the problem.
The first hour
- 1Export the per-record access log for the affected chart for the last 12 months. Do not screenshot — export the underlying data (CSV with timestamps, ideally with a vendor-provided integrity hash) so chain of custody holds up.
- 2Confirm the user ID maps to a single named person, not a shared account. A shared account in 2026 is an OCR finding in its own right.
- 3Pull the staff member's full access pattern across all records for the last 30 days. One unauthorized view is a problem; a pattern is a different problem with a heavier sanction and higher reportability risk.
- 4Loop in the privacy officer and the staff member's direct supervisor. No one else, yet.
- 5Do not confront the staff member without the audit log in hand. The conversation that starts with 'we have 14 views over six weeks' produces real evidence.
- 6Suspend the staff member's access to the affected record (or all records, depending on scope) while the investigation runs.
Evidence to preserve
What not to delete, what to screenshot, what to log. Do this before recovery starts — most of it disappears as soon as systems are rebuilt.
- Vendor-exported access log for the affected chart, with timestamps and integrity hash if available.
- 30-day access pattern export for the staff member across all records.
- Written, verbatim record of the sanction conversation, including the staff member's explanation.
- Written four-factor breach risk assessment with the conclusion and the reasoning.
- Copy of the practice's sanction policy, with the applied sanction documented against it.
The HIPAA breach clock
Breaches affecting 500+ patients in a single state are reported to HHS and media immediately, not within 60 days. Confirm state-specific timelines with counsel.
Regulator contacts
- HHS OCR Breach Portal
- HHS Breach Notification Rule guidance
- State medical-board reporting (varies — check yours)
- Your cyber insurer hotline: add your carrier's 24/7 IR phone number here and post it at the front desk. Most claims require notice within 72 hours.
Frequently asked
Is curiosity-driven snooping really a breach?+
Often, yes. The HHS definition of breach is access or use of PHI not permitted under the Privacy Rule, unless the four-factor risk assessment concludes a low probability that PHI was compromised. Document the four-factor analysis. If you cannot defensibly conclude 'low probability,' notify the patient within 60 days.
Do we have to fire the staff member?+
Not automatically. Low-volume curiosity often results in a written warning and re-training; repeated snooping, snooping with a personal or commercial motive, or snooping with disclosure to a third party usually results in termination. The decision is yours; the documented sanction is what protects the practice from an OCR enforcement-record finding.
Should we have break-the-glass alerts?+
Yes. Modern EHRs can alert when a staff member opens a flagged record (VIP, coworker, family, outside their care team's panel). Many small practices have the feature and have never turned it on. Detection by tipoff is luck, not strategy.
Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.
This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.
Related playbooks
Billing service, MSP, transcription vendor, answering service, cloud backup, marketing agency, interpreter service. The 60-day clock starts on you, the covered entity, the moment they tell you. Attribution, BAA enforcement, and patient notification are the next 60 days.
The incident is contained. Now sequence the carrier-mandated IR vendor with the OCR portal, the state AG filings, and the patient notifications. Small practices stumble here on sequencing, not on the work itself.