An Employee Accessed Patient Records Without Authorization — What Are My Obligations?

You just discovered that an employee accessed patient records they had no legitimate reason to view. Maybe it was a coworker's chart, a celebrity patient, a family member, an ex-spouse, or a neighbor. Maybe your audit log flagged it, another employee reported it, or the patient themselves noticed and complained. However you found out, you are now facing one of the most common and consequential HIPAA scenarios in healthcare — and your response in the next few days will determine whether this is a manageable internal matter or an enforcement action.

Why This Is Such a Serious Issue

Unauthorized access to patient records by workforce members is consistently among the top reported HIPAA violations. OCR has made it a priority enforcement area, particularly after several high-profile cases involving celebrity patient records. The reason is straightforward: the entire HIPAA framework is built on the principle that access to PHI must be limited to the minimum necessary for a workforce member to perform their job functions. When someone accesses records outside their job scope, it strikes at the core of what HIPAA protects.

This is also the type of violation that frequently generates patient complaints to OCR, because the patient feels personally violated. A patient who learns their coworker, neighbor, or ex-spouse's new partner looked at their medical records is highly motivated to file a complaint — and that complaint triggers an investigation into your entire compliance program, not just the single incident.

Immediate Steps: The First 48 Hours

1. Confirm the unauthorized access. Pull the audit logs from your EHR or electronic system. Identify exactly which records were accessed, when, how many times, and what information was viewed. Modern EHR systems log every record access — this is your primary evidence.
2. Determine if the access was truly unauthorized. Before escalating, verify that the employee did not have a legitimate work reason for the access. Did they assist with that patient's care? Were they processing a billing or scheduling request? Talk to the employee's direct supervisor to confirm whether there was any job-related reason.
3. Interview the employee. If you cannot identify a legitimate work reason, meet with the employee. Be factual, not accusatory. Present the audit log showing the access and ask them to explain. Document the conversation in detail, including who was present and the employee's response.
4. Preserve all evidence. Print or export the audit logs. Save any relevant communications. Document the timeline of discovery, investigation, and actions taken.
5. Restrict access if necessary. Depending on the severity and the employee's response, consider immediately restricting their system access while the investigation continues. This is a precautionary measure, not a punishment, and should be framed as such.

Conducting the Breach Risk Assessment

Under HIPAA, an unauthorized access by a workforce member is an impermissible use or disclosure of PHI. You are required to perform the four-factor breach risk assessment to determine whether it constitutes a reportable breach:

• Nature and extent of PHI: What did the employee view? A demographic screen is different from detailed clinical notes, mental health records, substance abuse treatment, or HIV status.
• Who accessed it: The unauthorized person in this case is your employee. Consider their relationship to the patient — a stranger is one risk level, but a personal acquaintance, family member, or person with a known conflict creates a higher risk of the information being used or further disclosed.
• Whether PHI was acquired or viewed: Audit logs confirm it was at minimum viewed. Did the employee print, screenshot, photograph, or download anything? Did they share the information with anyone?
• Mitigation: What assurances can you obtain? The employee's attestation that they did not share the information and will not use it is relevant, though its weight depends on the circumstances.

If the employee accessed the records of someone they know personally, if they viewed sensitive categories of information, or if there is any indication they shared what they found, the risk assessment will likely determine this is a reportable breach requiring patient notification.

Applying Your Sanction Policy

HIPAA requires every covered entity to have a sanction policy for workforce members who violate policies and procedures. This is not optional — it is a required administrative safeguard under the Security Rule. Your response must be consistent with your documented policy and applied uniformly. The sanction should be proportionate to the violation:

• First offense, no malicious intent, limited access: Written warning, mandatory retraining, documented counseling session.
• Pattern of access, personal curiosity, or negligent disregard: Suspension, final written warning, system access restrictions, mandatory compliance training.
• Malicious intent, personal gain, sharing information, or accessing records of a known personal contact: Termination is appropriate and often expected. In some cases, criminal referral may be warranted.

Whatever sanction you apply, document it thoroughly — the sanction, the reasoning, the date, and the employee's acknowledgment. If you choose not to terminate, document why and what additional safeguards are being implemented.

Notification Obligations

If your breach risk assessment determines this is a reportable breach:

• Notify the affected patient(s) in writing within 60 days of discovery.
• Report to HHS through the OCR breach portal (timing depends on the number of individuals affected).
• Check your state's breach notification requirements — many states have shorter timelines or additional reporting obligations.

Criminal Referral Considerations

In particularly egregious cases, HIPAA violations can be criminal. Under 42 USC 1320d-6, knowingly obtaining or disclosing individually identifiable health information can carry fines up to $250,000 and imprisonment up to 10 years if the offense involves intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm. If your investigation reveals that the employee accessed records for personal gain, to harm the patient, or to sell information, consult with legal counsel about criminal referral to the Department of Justice.

Preventing Future Unauthorized Access

After resolving the immediate incident, use it as a catalyst to strengthen your access controls:

• Review role-based access controls: Ensure each staff member's system access is limited to the minimum necessary for their job function.
• Implement proactive audit log monitoring: Do not wait for someone to report suspicious access — review audit logs regularly for unusual patterns.
• Reinforce training: Use this incident (anonymized) as a training example. Staff should understand that every record access is logged and unauthorized access will be detected and sanctioned.
• Consider break-the-glass controls: For sensitive records (VIPs, employees, mental health), implement alerts that require a reason before access is granted.

A practice with documented policies, consistent audit log review, clear sanction procedures, and a culture of accountability handles these situations from a position of strength. GuardWell's incident tracking, staff training management, and compliance documentation tools ensure that when these situations arise — and they will — your practice has the evidence of a mature compliance program that OCR expects to see.