medcomply.ai
Intel
The HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy RuleThe HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy Rule

We learned an employee accessed a customer's patient data without authorization

Investigate, document, revoke access, and determine if this is a reportable breach.

  1. 1

    Suspend the employee's access immediately

    While facts are gathered, ensure they cannot access more data. Preserve audit logs before they rotate or expire.

  2. 2

    Interview and document

    Find out what they viewed, how many patients were involved, and why. Document timestamps from system logs.

  3. 3

    Notify your customer if required

    Your BAA likely requires you to inform covered entity customers of unauthorized access. Your counsel can help with timing and wording.

  4. 4

    Complete sanctions and retraining

    Apply consistent disciplinary action and close gaps — such as stricter access reviews or alerts for unusual access patterns.

Important

Unauthorized insider access is a frequent source of OCR enforcement against vendors and health systems.

Related

Ask AI about this situation →

Not legal advice. Follow your organization's policies and consult counsel for legal questions.