Snooping Investigation
A documented investigation when audit logs show a workforce member accessed a patient record without a legitimate treatment, payment, or operations purpose.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- Security
- Primary sources
- 3
- Workspace handoff
- compliance binder →
Where this comes up
This sits inside the security risk analysis under 45 CFR 164.308(a)(1)(ii)(A) — workstation controls, EHR access roles, ePHI transmission encryption, audit logging, vendor risk, and incident response. Reviewers expect dated evidence of the control, not a policy PDF that says it exists.
Full definition
What it is in practice
Snooping is an impermissible use under 45 CFR 164.502 and, depending on the four-factor analysis, may be a reportable breach under 45 CFR 164.402. OCR has imposed penalties for failure to investigate and sanction snooping.
How it shows up in your practice
When the audit log flags a record access outside the workforce member's caseload, document the investigation, the interview, and the sanction. Snooping by an employee against a family member is a recurring OCR-investigation pattern.
Sources
- 45 CFR 164.502 — Uses and disclosures of PHIhttps://www.ecfr.gov/current/title-45/section-164.502
- 45 CFR 164.402 — Breach definitionshttps://www.ecfr.gov/current/title-45/section-164.402
- HHS — HIPAA Privacy Rulehttps://www.hhs.gov/hipaa/for-professionals/privacy/index.html
Use the snooping investigation playbook in the Compliance Binder
Open compliance binder →Related terms
- SecurityAudit LogA record of system activity (logins, record access, configuration changes) that can be reviewed to detect inappropriate access or system compromise.
- SecuritySanctions PolicyThe HIPAA-required policy that imposes appropriate consequences on workforce members who violate the covered entity's privacy and security policies.
- HIPAA & PrivacyFour-Factor Breach Risk AssessmentThe four-factor analysis at 45 CFR 164.402 used to determine whether an impermissible use or disclosure of PHI is a reportable breach.
- SecurityWorkforce TrainingHIPAA-required training of workforce members on the covered entity's privacy and security policies.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryFour-Factor Breach Risk AssessmentThe four-factor analysis at 45 CFR 164.402 used to determine whether an impermissible use or disclosure of PHI is a reportable breach.
- GlossaryAudit LogA record of system activity (logins, record access, configuration changes) that can be reviewed to detect inappropriate access or system compromise.
- GlossarySanctions PolicyThe HIPAA-required policy that imposes appropriate consequences on workforce members who violate the covered entity's privacy and security policies.
- GlossaryWorkforce TrainingHIPAA-required training of workforce members on the covered entity's privacy and security policies.
- GlossaryRansomwareMalicious software that encrypts data or systems and demands payment for decryption; HHS guidance generally presumes a ransomware event on ePHI is a HIPAA breach.
- GlossaryAccounting of DisclosuresThe HIPAA right of an individual to receive a list of disclosures of their PHI made by a covered entity over the prior six years.
- GlossaryAmendment of PHIThe HIPAA right of an individual to request that a covered entity amend PHI in a designated record set.
- RegulationHIPAA Security Access Control (45 CFR 164.312(a))Technical policies and procedures for systems containing ePHI to allow access only to those granted access rights, with required specifications for unique user identification and emergency access.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.