Recognizing and Reporting Privacy Violations

Recognize the incident types

A privacy violation can involve access, use, disclosure, storage, disposal, or conversation. High-yield examples for the CCA:

• Snooping — opening a record (a coworker, celebrity, neighbor, or relative) without a job reason.
• Misdirected disclosure — faxing or emailing PHI to the wrong number or address.
• Public discussion — talking about an identifiable patient in a cafeteria, elevator, or social media post.
• Lost or stolen ePHI — an unencrypted laptop, phone, or USB drive.
• Improper disposal — patient labels or worksheets in regular trash.

The breach notification framework

The HIPAA Breach Notification Rule (45 CFR 164.400-414) presumes that any impermissible use or disclosure of unsecured PHI is a breach unless a four-factor risk assessment demonstrates a low probability that PHI was compromised. The four factors are: (1) the nature and extent of the PHI, including identifiers and likelihood of re-identification; (2) the unauthorized person who used or received it; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which risk has been mitigated.

If a breach affecting 500 or more individuals occurs, notification to HHS and the media is required without unreasonable delay and within 60 days; smaller breaches are logged and reported to HHS annually.

The coder does not perform this assessment alone. The exam answer is to recognize the incident, protect PHI, and report — the privacy/compliance team applies the framework.

Reporting logic

1. Stop or limit the exposure if it can be done safely.
2. Do not access more PHI to investigate unless assigned.
3. Report promptly through the approved channel (supervisor, HIM director, privacy officer, security officer, compliance hotline, or incident system).
4. Give factual details: what happened, whose information, when, where, and who was involved.
5. Follow instructions from privacy, security, HIM, or compliance staff.

Reject any answer that hides the event, warns a friend to delete evidence, confronts staff in public, or independently decides no report is needed. Even a near miss may warrant reporting so the organization can assess risk and improve safeguards. Sanctions for snooping are typically severe — up to termination — regardless of intent.

Notification timelines and exceptions

For a confirmed breach, affected individuals must be notified without unreasonable delay and no later than 60 days from discovery. Breaches affecting 500 or more residents of a state or jurisdiction also require media notification and immediate notice to HHS; breaches under 500 are logged and reported to HHS within 60 days after the end of the calendar year.

The Breach Notification Rule recognizes narrow exceptions that are not breaches: (1) unintentional, good-faith access by a workforce member acting within scope, with no further use or disclosure; (2) inadvertent disclosure between two authorized persons at the same entity; and (3) a disclosure where the entity has a good-faith belief the recipient could not reasonably have retained the information. The exam may describe a fax instantly recalled or returned unopened, which can fall under these exceptions after assessment.

Secured vs. unsecured PHI

Notification obligations attach only to unsecured PHI — PHI not rendered unusable through encryption or destruction meeting HHS guidance. A lost laptop holding encrypted ePHI generally is not a reportable breach, which is why encryption is such a high-value control. This is a frequent CCA distinction: the same physical loss can be a breach or not depending on whether the data was secured.

Incident triage at a glance

The coder's lane is narrow and reliable: recognize the event, contain it safely, report factually, and cooperate. Determining whether the four-factor assessment results in a breach, drafting notification letters, and notifying HHS belong to the privacy and compliance team, not to frontline coding staff.

Worked example

A coder accidentally emails a spreadsheet containing 40 patients' names, MRNs, and diagnosis codes to an external billing contact whose address auto-completed incorrectly. The data was not encrypted. What does the coder do, and what does the organization do? The coder's immediate steps are to stop sending anything further, attempt to recall the message, document exactly what was sent and to whom, and report to the privacy officer right away — not to quietly hope it goes unnoticed.

The organization then runs the four-factor assessment: the PHI included names, MRNs, and diagnoses (significant); the recipient is an outside party (raises risk); the data was likely received and viewable (acquired); and mitigation may include a recall, a confidentiality attestation, or confirmed deletion. Because the data was unsecured, this very likely qualifies as a reportable breach, and the 40 affected individuals must be notified within 60 days. The coder did everything right by recognizing, containing, and reporting; the privacy team owns the assessment and notifications.

Contrast this with the same file sent encrypted with a secure link — that PHI is 'secured,' and the loss may not be a reportable breach at all.