Contact the HIPAA Privacy Program

Email:
hipaa​@nau.edu
Call:
928-523-7906
 

Report a Suspected HIPAA Incident

Employees often worry about whether something “counts” as a HIPAA violation. You are not responsible for deciding whether a HIPAA violation occurred. Only the HIPAA Privacy Officer (or their designee) has the authority and training to make that determination. Your role is simply to report anything that seems unusual, accidental, or concerning.

What Is a Suspected Privacy Incident?

A suspected Privacy Incident is any access, use, disclosure, or loss of Protected Health Information (PHI) that may not be permitted under HIPAA or our internal policies—even if you are unsure whether it is a breach.

How To Report a Suspected Privacy Incident Accordion Open

Please use any reporting option below:

  • Online Incident Report Form:
    (see form below or send documents to PO Box 4116, Flagstaff, AZ  86011)
  • Email the HIPAA Privacy Officer: hipaa@nau.edu
  • Phone: 928-523-7906
  • Supervisor or Manager (who must forward immediately)

Timeliness matters. HIPAA requires prompt investigation and mitigation. Reports may be made 24/7. There is no penalty for good-faith reporting.

Examples of Suspected Privacy Incidents Accordion Closed

This list is not exhaustive:

  • Accessing a patient record without a job-related purpose
  • Viewing your own, a family member’s, or a coworker’s medical record
  • Sending PHI to the wrong patient, payer, provider, or email recipient
  • Lost or stolen laptops, phones, USB drives, or paper files containing PHI
  • Discussing patient information in public or unsecured locations
  • Misdirected faxes or mail containing PHI
  • Patient complaints about privacy or confidentiality
  • Ransomware, malware, or other security events involving systems with PHI

What Happens After You Report Accordion Closed

The Privacy Officer will:

  • Document and investigate the incident
  • Conduct a breach risk assessment, evaluating:
    • Nature and extent of PHI
    • Unauthorized person who used or received PHI
    • Whether PHI was actually acquired or viewed
    • Mitigation actions taken
  • Determine whether notification is required
  • Coordinate corrective actions, training, or sanctions if applicable

Retaliation Is Prohibited Accordion Closed

NAU strictly prohibits retaliation against any workforce member who reports a Privacy incident or participates in an investigation in good faith.

Who must report suspected HIPAA incidents? Accordion Closed

“Workforce Members” work or train at NAU’s Health Care Components and can be any of the following (whether paidor unpaid):

  • Faculty or staff (including volunteers and trainees)
  • students
  • fellows
  • agents
  • contractors or vendors
  • affiliates
  • 3rd parties contracted on behalf of NAU’s Health Care Components.

FAQs

What if I am not sure it is a breach?  Accordion Closed

Report it anyway. The Privacy Officer determines whether an event meets the legal definition of a breach.

Can I be disciplined for reporting my own mistake?  Accordion Closed

Good-faith reporting is expected. Failure to report can result in greater risk and consequences than the mistake itself.

How fast must incidents be reported? Accordion Closed

Immediately upon discovery. Internal delay can jeopardize compliance with federal notification timelines

When in doubt, report it out

The HIPAA Privacy Officer—not individual staff—determine if the event is a reportable HIPAA violation.

Online Incident Report Form
  • This field is for validation purposes and should be left unchanged.