Unauthorized access response
Unauthorized access to patient records is a HIPAA violation regardless of intent. Your response must be immediate, documented, and structured.
Definitions
Under HIPAA, access to protected health information must be limited to the minimum necessary for treatment, payment, or healthcare operations. Any access outside these purposes is unauthorized — regardless of the employee's role, intent, or whether the information was shared.
Accessing records of patients not in your care
Looking up celebrity, neighbor, or family member records
Accessing records out of curiosity
Sharing login credentials with another employee
Accessing records after employment ends
Viewing records for personal reasons unrelated to treatment, payment, or operations
Intent does not determine whether a violation occurred. A staff member who accesses a record "just to check" has committed the same violation as one who accesses a record with malicious purpose. The difference affects the sanction, not the violation itself.
Required response
HIPAA prescribes a structured response to workforce violations. Every step must be documented.
Pull audit logs and access reports. Identify the user account, the timestamp, the records accessed, and the duration of access. Do not rely on the employee's account alone — verify against system logs. If your system does not have audit logging, that is a separate compliance violation.
Identify which patient records were viewed, what categories of PHI were exposed (demographics, diagnoses, treatment notes, financial information), and how many patients were affected. The scope of access determines your notification obligations.
Conduct a documented interview. Ask what was accessed, why, whether the information was shared with anyone, and whether any copies were made. Have a witness present. Document the conversation in writing, including the employee's responses, the date, time, and attendees.
HIPAA requires a sanction policy under 45 CFR 164.308(a)(1)(ii)(C). Apply it consistently. Sanctions must be proportional to the severity of the violation — ranging from retraining and written warnings to suspension or termination. Failure to sanction is itself a compliance failure.
Apply the four-factor test: (1) the nature and extent of the PHI involved, (2) the unauthorized person who used or accessed the PHI, (3) whether the PHI was actually acquired or viewed, and (4) the extent to which the risk has been mitigated. If the assessment shows more than a low probability of compromise, it is a reportable breach.
Create a formal investigation report that includes: the timeline of events, the access logs, the interview record, the risk assessment methodology and conclusions, the sanction applied, and any corrective actions taken. This documentation is required under HIPAA and serves as your defense in any enforcement action.
Breach threshold
Not every unauthorized access is a reportable breach — but every unauthorized access requires a breach risk assessment to make that determination. You do not get to skip the assessment because you believe the risk is low.
The four-factor test under 45 CFR 164.402 evaluates: the nature and extent of the PHI involved (including identifiers and likelihood of re-identification), the unauthorized person who accessed the PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk to the PHI has been mitigated.
If the assessment concludes there is more than a low probability that the PHI was compromised, it is a reportable breach. You must notify affected patients within 60 days. For 500 or more affected individuals, you must also notify HHS and local media.
The burden of proof is on the covered entity. If you cannot demonstrate that the probability of compromise was low, the presumption is that a breach occurred. Document the assessment regardless of the outcome.
Prevention
The best investigation is the one you never have to conduct. These controls reduce the likelihood and impact of unauthorized access.
Restrict access to patient records based on job function. Front desk staff see scheduling data. Clinical staff see treatment records for their assigned patients. Billing sees financial data. No role sees everything unless operationally necessary.
Log every access event with user identity, timestamp, records accessed, and action taken. Logs must be immutable — no user, including administrators, should be able to modify or delete audit records.
Configure systems to limit PHI disclosure to the minimum necessary for the intended purpose. A scheduler does not need to see clinical notes. A billing clerk does not need to see treatment plans.
Review user access rights quarterly. Verify that access levels match current job functions. Revoke access immediately upon role change or termination. Access reviews should be documented.
Train every staff member on what constitutes unauthorized access, the consequences under your sanction policy, and how access is monitored. Training should be documented and repeated at least annually.
Publish and enforce a clear sanction policy. Employees must know that unauthorized access is detected, investigated, and penalized. Inconsistent enforcement undermines the entire compliance program.
FAQ
Yes. Accessing patient records without a treatment, payment, or operations purpose is a violation of the HIPAA Privacy Rule's minimum necessary standard and the access controls required by the Security Rule. It does not matter if the employee did not share the information — the unauthorized access itself is the violation.
Not necessarily. HIPAA requires a sanction policy, not a termination policy. The sanction must be appropriate to the severity of the violation. A first-time curiosity access of one record may warrant retraining and a written warning. Systematic access of dozens of records, or access with intent to share, typically warrants termination. The key is consistency — apply the same standards to every case.
When the four-factor risk assessment determines there is more than a low probability that PHI was compromised. Factors include: what PHI was accessed, who accessed it, whether it was actually viewed or acquired, and whether the risk has been mitigated. If the employee viewed records but did not copy, download, or share them — and you have evidence supporting that — you may be able to demonstrate low probability of compromise. Document the assessment regardless of the conclusion.
Access control enforcement
Patient Protect enforces role-based access controls with nine granular roles, logs every access event in an immutable audit trail, and applies minimum necessary restrictions automatically. When unauthorized access occurs, you have the evidence to investigate, document, and resolve it.
