What should I do if I think something went wrong?

Most HIPAA problems are not movie-style hacker attacks. They are human moments: a fax to the wrong clinic, an email auto-filled to the wrong person, a tablet left in a coffee shop, or a curious employee opening a celebrity chart.

Your job is not to be the lawyer. Your job is to report quickly and preserve the story.

Step 1: Pause the harm if you can

If you just sent something to the wrong place, tell your supervisor immediately, sometimes IT or the recipient can contain the message before it spreads.

If a device is missing, report it so remote wipe or password rotation can start.

Step 2: Tell the right person today

Your practice should name a privacy officer or escalation path. Use it even if you feel embarrassed. Early reporting is what turns an "oops" into a managed incident instead of a cover-up.

Step 3: Write down plain facts

Note what happened, when, whose information was involved (best estimate), what systems were used, and what you already did. Screenshots and fax logs help.

Common situations

Wrong fax number. Notify supervisor; your office may call the recipient to request destruction; leadership decides if breach analysis is needed.

Email to the wrong address, IT may recall messages in some systems; if not, document and escalate.

Lost phone or laptop. Report immediately; encryption status matters a lot for next steps.

Coworker browsing charts with no work reason, Do not confront; report to the privacy officer for investigation.

What not to do

• Don't delete evidence.
• Don't promise a patient that "nothing will happen" until the facts are reviewed.
• Don't decide on your own that it was "too small" to mention.