Incident reporting is the practical skill of recognizing a potential privacy or security problem, stopping further exposure, and escalating it quickly so the organization can assess risk, notify appropriately, and prevent recurrence. Staff do not need to decide whether something is a “reportable breach” under HIPAA; staff need to recognize that something may be wrong and report it promptly.
What counts as an incident (common scenarios)
An incident is any event that could compromise the privacy, security, or appropriate use/disclosure of patient information or access to systems that contain it. Incidents include confirmed events and “near misses” (caught before harm occurs).
Misdirected communication (email, fax, portal message, mail)
- Sending a message to the wrong recipient (e.g., similar names, auto-complete error).
- Attaching the wrong document or including extra pages.
- Faxing to an outdated number or leaving a fax on a shared machine.
- Mailing to an old address or wrong patient.
Overheard or exposed conversation
- Discussing patient details in a public area where visitors or other patients can hear.
- Speakerphone use where non-authorized individuals can overhear.
- Hand-off conversations conducted within earshot of the public.
Lost, stolen, or unsecured device/media
- Lost phone, tablet, laptop, badge, or portable drive used for work.
- Device left unattended in a public place or unlocked in a car.
- Paperwork missing from a clipboard, printer, or chart rack.
Wrong-patient access in the EHR (or other systems)
- Opening the wrong patient chart (even if you “only looked for a second”).
- Documenting in the wrong chart.
- Printing or exporting information from the wrong chart.
- Accessing a chart out of curiosity or without a work-related need.
Improper disclosure or access by someone else
- Sharing information with a person who is not authorized (e.g., wrong family member, wrong facility, wrong payer contact).
- Giving login credentials to another person or using someone else’s login.
- A coworker viewing information they do not need for their role.
- Suspicious emails, phishing attempts, or signs an account may be compromised.
Immediate response: what to do the moment something goes wrong
Use this simple model: Stop the exposure → Secure what you can → Notify → Document. The goal is containment and rapid escalation, not self-investigation.
Step-by-step containment checklist
- Stop the disclosure/access immediately.
- Close the wrong chart or stop the conversation.
- Stop printing; cancel the job if possible.
- Do not continue sending follow-up messages to “explain” unless instructed by your supervisor/Privacy Officer.
- Secure the information and environment.
- Retrieve papers from printers, fax trays, waiting rooms, or hallways.
- Collect misfiled documents and place them in a secure location.
- If a device is missing, note the last known location/time and whether it may be unlocked.
- Attempt safe retrieval/recall only if it does not create more exposure.
- Email: use “recall” if available, but do not rely on it; it may fail or alert the recipient.
- Fax: call the receiving number immediately, ask them to secure the pages, and request destruction per policy; do not ask them to send photos of the pages back.
- Mail: if still in-house, intercept before it leaves; if already sent, notify your supervisor/Privacy Officer for next steps.
- Notify your supervisor/manager promptly.
- If your organization has an incident hotline or ticketing system, submit it right away.
- If the incident involves suspected hacking, malware, phishing, lost/stolen device, or unusual system behavior, notify the security/IT pathway immediately (often in parallel with your supervisor).
- Preserve evidence; do not “clean up” systems.
- Do not delete emails, messages, audit logs, or files to hide a mistake.
- Do not power-wipe a device or run unapproved tools; security may need forensic information.
- Take screenshots only if policy permits and only to capture necessary details; store them securely.
Scenario-based containment examples
| Incident | Containment actions you can take now | What not to do |
|---|---|---|
| Misdirected email with patient attachment | Stop further replies; attempt recall if available; notify supervisor/Privacy Officer; document recipient address and time | Do not email the wrong recipient more PHI to “clarify”; do not ask them to forward it to the right person |
| Overheard conversation at nurses’ station | Move discussion to a private area; lower voice; remind team to pause until in a secure location; notify supervisor if PHI was likely overheard | Do not dismiss it as “everyone talks here” |
| Lost phone used for work | Report immediately; provide last known location/time; follow instructions for remote lock/wipe if authorized | Do not wait “to see if it turns up” before reporting |
| Wrong-patient chart opened | Exit chart; if any documentation/orders were entered, stop and notify supervisor immediately for correction workflow; report the access | Do not try to quietly edit/delete entries without following correction procedures |
| Paperwork left in waiting room | Retrieve papers; secure them; identify who may have viewed them if known; notify supervisor/Privacy Officer | Do not throw it away in regular trash; do not ignore because “it was only for a minute” |
What to document (and how to write it)
Good incident documentation is factual, time-stamped, and complete enough for the Privacy Officer/security team to assess risk. Avoid speculation, blame, or clinical commentary unrelated to the incident.
Minimum details to capture
- Who: patient(s) involved (if known), staff involved, unintended recipient (name, organization, email/fax/phone), witnesses.
- What happened: clear description of the event (e.g., “lab results PDF attached to email sent to wrong address due to auto-complete”).
- When: date/time the incident occurred and when it was discovered.
- Where: unit/department, workstation/printer location, system name, device type.
- PHI involved: types of data (e.g., name, MRN, diagnosis, meds, DOB), approximate volume (one patient vs. multiple), and format (paper, email, screenshot, EHR view).
- Containment actions taken: what you did immediately (retrieved pages, notified supervisor, attempted recall, contacted security).
- Current status: whether information was recovered, whether recipient confirmed deletion (if applicable), whether device is still missing.
Helpful documentation practices
- Use objective language: “I sent…” “I observed…” “The printer produced…”
- Include exact identifiers when relevant: email address used, fax number dialed, device asset tag (if known), ticket number.
- If you are unsure whether PHI was included, document what you know (e.g., “subject line contained patient name; attachment unknown”).
- Report near misses too: “Caught before sending” still reveals a process risk (auto-complete, similar names, workflow gaps).
Example of a strong incident note
Date/Time discovered: 01/20/2026 10:14 AM Event time: 01/20/2026 10:12 AM Location: Clinic A, Workstation 3 System: Outlook Incident: Email with attached visit summary (PDF) for Patient A was sent to wrong external address due to auto-complete selection. PHI involved: patient name, DOB, problem list, medications (1 patient). Containment: Immediately attempted recall; notified supervisor at 10:15 AM; submitted incident ticket #45621 at 10:18 AM. Recipient: john.smith@externaldomain.com (not affiliated). Status: Recall pending; no confirmation of deletion yet.Non-retaliation and “just culture”: why prompt reporting is expected
HIPAA compliance depends on early reporting. Many incidents are caused by system issues (look-alike names, confusing workflows, time pressure, unclear handoffs) rather than intentional misconduct. A just culture approach focuses on learning and prevention while still holding people accountable for reckless behavior.
Continue in our app.
- Listen to the audio with the screen off.
- Earn a certificate upon completion.
- Over 5000 courses for you to explore!
Download the app
What non-retaliation means for staff
- You should not be punished for reporting a good-faith concern or mistake promptly.
- Reporting is a professional responsibility; it protects patients and the organization.
- Supervisors should reinforce reporting, help with containment, and route the issue appropriately.
What just culture looks like in practice
- Human error (slip/lapse): addressed with coaching, workflow fixes, usability improvements.
- At-risk behavior (taking shortcuts): addressed with education, removing incentives for shortcuts, clearer expectations.
- Reckless behavior (conscious disregard): addressed with formal accountability measures.
When to involve the Privacy Officer and/or security team
Escalate early when the incident involves external disclosure, uncertain scope, or any sign of security compromise. If you are unsure, report anyway; the Privacy Officer/security team will triage.
Involve the Privacy Officer (or privacy pathway) when
- PHI may have been disclosed to the wrong person or organization.
- Paper records are lost, stolen, or found in a public area.
- Wrong-patient access occurred, especially if information was printed, exported, photographed, or shared.
- A patient complains about privacy, requests an accounting-related explanation, or reports they received another patient’s information.
- There is uncertainty about what information was exposed or how many patients are affected.
Involve security/IT immediately when
- A device is lost or stolen (phone, laptop, tablet, portable media) that may contain or access patient information.
- You suspect phishing, malware, ransomware, account compromise, unusual pop-ups, or unexpected password prompts.
- You notice abnormal access patterns (e.g., your account shows activity you did not perform).
- Systems are misdirecting information (e.g., portal messages appearing in the wrong account) or you suspect a configuration error.
Parallel reporting: privacy + security
Some events are both privacy and security incidents (e.g., stolen laptop, compromised email account). In those cases, notify both pathways as required by policy; do not assume “someone else will do it.”
Compliant vs. non-compliant behaviors (what to do and what to avoid)
Compliant behaviors
- Report promptly even if you are embarrassed or unsure whether it “counts.”
- Contain first by stopping further access/disclosure and securing materials.
- Be factual in documentation and provide complete details.
- Follow correction workflows for wrong-chart documentation/orders (notify supervisor; use approved amendment/correction processes).
- Cooperate with follow-up (privacy/security may ask for timelines, screenshots, device details, or recipient contact info).
Non-compliant behaviors
- Trying to “fix it quietly” (asking the wrong recipient to ignore it without reporting; deleting evidence; reprinting and discarding incorrectly).
- Delaying reporting to avoid attention or because you hope the issue resolves itself.
- Investigating on your own by searching audit logs or accessing additional charts “to see what happened” without authorization.
- Sharing incident details broadly (gossiping about the event or the patient involved).
A simple escalation script staff can use
When you notify your supervisor/Privacy Officer/security team, clarity matters. Use a short, structured message:
“I need to report a potential privacy/security incident. At [time/date], I [what happened]. It involved [patient(s)/type of PHI]. I have already [containment steps]. The unintended recipient/location/device is [details]. Please advise next steps and who else to notify.”Near misses: report them too
Near misses are events that could have become incidents but were caught in time (e.g., you noticed the wrong email address before sending, or you caught a wrong-patient chart before documenting). Reporting near misses helps fix root causes such as confusing patient lists, auto-complete risks, printer placement, or unclear handoff routines. Include the same core details, emphasizing what prevented the exposure and what in the workflow made it likely.
