How to Document HIPAA Violations: Employer Write-Up Requirements and Examples

Knowing how to document HIPAA violations protects patients, your workforce, and your organization. This practical guide shows you how to complete employer write-ups that meet HIPAA Compliance expectations, evaluate risk, and implement fixes—using clear requirements and real-world examples.

You will learn how to identify an incident involving Protected Health Information (PHI), create solid Incident Documentation, apply a Violation Severity Classification, build a Corrective Action Plan, and prevent repeat issues through HIPAA Policy Updates and training.

Identify the Violation

A HIPAA violation occurs when PHI is used, disclosed, accessed, or safeguarded in a way that violates the Privacy or Security Rules. Start by confirming whether the information at issue qualifies as PHI and whether the use or disclosure was impermissible under your policies.

Rapid triage questions

• What happened, where, and when was it discovered?
• Was PHI involved, and what types (names, MRNs, diagnoses, images, etc.)?
• Who accessed or received the data (workforce, business associate, external party)?
• Was the use/disclosure authorized or within minimum necessary standards?
• What safeguards failed (administrative, physical, technical)?

Immediate stabilization steps

• Stop further disclosure (recall emails, secure messages, lock accounts, retrieve papers/devices).
• Collect key facts while fresh: systems involved, senders/recipients, timestamps, screenshots.
• Notify your privacy/security officer to initiate formal Incident Documentation.

Common examples to recognize

• Misdirected email or fax containing PHI sent outside the organization.
• Workforce “snooping” into a record without a job-related need.
• Lost or stolen unencrypted laptop, phone, or USB drive with PHI.
• Papers with PHI left unsecured in public areas or discarded improperly.
• Social media posts that reveal a patient’s identity or treatment.

Document the Incident

Accurate, complete write-ups preserve evidence, support risk analysis, and guide corrective action. Use a structured template so every HIPAA violation record is consistent and audit-ready.

Employer write-up template (core fields)

• Incident ID; date/time of occurrence and discovery; reporter name and contact.
• Description of what happened, including locations, systems, and workflow context.
• PHI elements involved and sensitivity (clinical notes, images, SSN, financial data).
• Number of affected individuals; patient identifiers if known.
• Who accessed/received PHI (internal role, business associate, external party).
• Containment and mitigation taken (email recall, device wipe, record sequester).
• Security controls in place or missing (encryption, MFA, DLP, access logs).
• Preliminary risk assessment notes and whether data was viewed/acquired.
• Business associate involvement and BAA status, if applicable.
• Planned next steps, including Violation Severity Classification (pending evaluation).
• Corrective Action Plan summary and Employee Sanctions, if applicable.
• Attachments/evidence: logs, screenshots, statements, copies of notifications.

Completed example (misdirected email)

On April 3 at 9:42 a.m., staff emailed a discharge summary for Jane D. to an unintended external recipient due to an autocomplete error. PHI included name, DOB, MRN, diagnosis, and medication list. The email was unencrypted; the recipient is a local business not affiliated with the organization. Discovery occurred at 10:05 a.m.; the sender notified Privacy immediately. Containment: recall request sent; recipient contacted by phone at 10:22 a.m. and confirmed deletion with a signed attestation at 11:10 a.m. Logs confirm no further forwarding. Preliminary assessment indicates low probability of compromise due to immediate mitigation and signed deletion, but final severity pending review. CAP to include targeted email-safety training and DLP rule updates.

Evidence to retain

• System and email logs, access reports, and audit trails.
• Screenshots of messages, misaddressed emails, or EHR activity.
• Signed attestations of deletion or return of data, when obtained.
• Employee statements and manager notes documenting facts and timelines.
• Copies of notifications and the final risk analysis.

Evaluate the Severity

Apply a consistent Violation Severity Classification informed by HIPAA’s breach risk assessment factors. This determines notifications, Employee Sanctions, and the scope of your Corrective Action Plan.

Risk assessment factors to document

• Nature and extent of PHI (types, volume, sensitivity, re-identification risk).
• Unauthorized person who used/received the PHI and their obligations to protect it.
• Whether PHI was actually acquired or viewed, based on reliable evidence.
• The extent to which risks were mitigated (encryption, deletion, recovery).

Severity levels (illustrative model)

• Level 1 – Low: Inadvertent, minimal PHI, limited recipient, strong mitigation. Example: single summary faxed to provider with immediate confirmation and deletion.
• Level 2 – Moderate: Negligent error with notable PHI or broader exposure. Example: email with diagnoses sent to external party, deletion confirmed after delay.
• Level 3 – Serious: Large volume, sensitive PHI, repeat conduct, or weak controls. Example: paper charts left in public area; unknown if viewed.
• Level 4 – Egregious/Willful neglect: Intentional snooping, theft, or failure to correct known deficiencies. Example: workforce member accesses celebrity record out of curiosity.

Example severity write-up

Lost unencrypted tablet containing 230 patient images and notes; device likely accessible. No remote wipe. Unknown finder. Mitigation limited to account resets and patient flagging. Classification: Level 3 (Serious) due to volume, sensitivity, and lack of encryption. Actions: breach notifications, HHS reporting, media notice if thresholds met, and expedited encryption program.

Implement Corrective Actions

A strong Corrective Action Plan addresses root cause, mitigates harm, and reduces recurrence. Align actions with the severity level and document ownership and deadlines.

Containment and mitigation

• Secure accounts, revoke access, remote wipe devices, and sequester affected records.
• Obtain recipient deletion confirmations or return of data when feasible.
• Offer credit monitoring if financial identifiers were exposed, based on risk.

Notifications and reporting

• Notify affected individuals without unreasonable delay and within required HIPAA timelines when a breach is confirmed.
• Report breaches to HHS; for large breaches, complete timely reporting and consider media notice consistent with the Breach Notification Rule.
• Document the risk assessment that supports any decision not to notify.

Training, process, and technology

• Targeted retraining tied to the incident; refresh privacy and security fundamentals.
• Process fixes: verification steps for emails/faxes, two-person checks for mailings.
• Technology controls: DLP rules, message delay/recall, encryption, MFA, MDM.

Employee Sanctions

• Level 1: Coaching and documented counseling; retraining.
• Level 2: Written warning; performance plan; closer monitoring.
• Level 3: Final warning or suspension; role restriction or reassignment.
• Level 4: Termination and access removal; consider reporting to licensing boards when required.

Sample Corrective Action Plan (excerpt)

• Root cause: Autocomplete sent PHI externally; lack of DLP rule for diagnosis terms.
• Actions: Enable DLP block for external recipients; 15-minute send delay; role-based training within 10 business days.
• Owner and due dates: Privacy (training, 10 days); IT Security (DLP and delay, 7 days); HIM (address book cleanup, 14 days).
• Success metrics: Zero repeat misdirected emails in 90 days; DLP incident trend reduced by 50% in 6 months.

Documentation and retention

• Keep the full incident file, risk assessment, CAP, and notifications together.
• Retain HIPAA-related documentation and policy records for at least six years.

Prevent Future Violations

Prevention combines HIPAA Policy Updates, training, technical safeguards, and continuous monitoring. Treat every incident as a learning opportunity and close the loop.

HIPAA Policy Updates

• Update policies after root-cause analysis to reflect new controls and workflows.
• Clarify minimum necessary access, verification procedures, and acceptable use.
• Distribute updates to affected roles and track acknowledgments.

Training and culture

• Provide new-hire, annual, and just-in-time training targeted to job functions.
• Run phishing and misdirection simulations; share anonymized lessons learned.
• Promote a “see something, say something” reporting culture without retaliation.

Technical safeguards and monitoring

• Enforce encryption at rest and in transit; require MFA and device management.
• Use DLP, audit logging, anomaly detection, and access alerts for sensitive charts.
• Audit business associates and validate their safeguards and incident response.

Conclusion

Effective documentation turns a HIPAA incident into an improvement plan. Identify the violation, record precise facts, classify severity, apply a targeted Corrective Action Plan and Employee Sanctions where appropriate, and harden controls through HIPAA Policy Updates. Consistent, thorough write-ups are the backbone of sustainable HIPAA Compliance.

FAQs

What information must be included in a HIPAA violation write-up?

Include who reported the incident; dates/times of occurrence and discovery; a factual narrative; PHI types and number of individuals affected; systems and locations involved; recipients or unauthorized users; containment and mitigation steps; preliminary risk assessment; Violation Severity Classification; Corrective Action Plan; Employee Sanctions (if any); and attachments such as logs, statements, and copies of notifications.

How are different levels of HIPAA violations classified?

Organizations commonly use four tiers: Level 1 (low risk, inadvertent, strong mitigation), Level 2 (moderate risk or broader exposure), Level 3 (serious risk, repeat conduct, or weak controls), and Level 4 (egregious or willful neglect). The classification guides notifications, sanctions, and the scope of remediation.

What corrective actions are appropriate for HIPAA violations?

Start with containment and mitigation, then tailor a Corrective Action Plan that may include targeted retraining, policy/process changes, technical controls (encryption, DLP, MFA), and monitoring. Apply proportionate Employee Sanctions based on severity and intent, and complete required notifications and reporting when a breach occurs.

How can employers prevent future HIPAA violations?

Continuously update policies after incidents, provide role-based and just-in-time training, deploy technical safeguards (encryption, access controls, DLP), monitor for anomalous access, and oversee business associates. Track metrics, audit regularly, and reinforce a reporting culture to sustain HIPAA Compliance.