• About IT Compliance Office
• Alerts & Notifications
• Business Assoc & Inventory
• IT Compliance Home
• Compliance Training
• EMERGENCIES
• Exceptions
• Forms
• Report a Concern or Incident
• • Child Pornography
  • Peer 2 Peer
  • Security Operations
• Records Retention
• Resources
• University Information Security Office
• University Privacy Office

Related Websites

• Code of Conduct
• Offices and Officers
• U Home Page

How to Report a Compliance, Privacy, or Security Incident

What is a Privacy Incident

A Privacy Incident is the unauthorized access, use, collection, disclosure, or release of information. For example, inappropriately accessing medical records or personnel information, or collecting social security numbers when such collection is not needed.

What is a Security Incident

A Security Incident is when an information technology resource (a computer, Macintosh, laptop, PDA, etc) is compromised.

If the breach involves a computer system containing sensitive data:

• If possible, unplug the system from the network, but do not turn it off.
• Report the breach, along with your contact information, immediately to:
• Your supervisor
• Your IT Administrator/IT Department
• OIT Compliance Office
• If a computer or other data management device (disk, USB drive, etc) has been lost or stolen, also notify the University Police Department, or your local law enforcement agency, as appropriate.

Include the following information:

• Date, time and location of the incident: time may be estimated; location should be the College, Department, Division, Clinic or other Unit affected, or the location of found documents.
• The nature of the incident: A clear description of what happened and how, if known.
• Type of sensitive data involved: Paper records, electronic records, or other type of data.
• Other persons involved: Names, titles, contact information, and how they were involved.
• Any immediate harm known or observed: Was data used, disclosed, altered, damaged, or destroyed? Was the patient/client aware?
• Immediate corrective actions already taken: for example, documents or computer equipment were secured, accidental recipient of PHI was asked to be returned or destroy the data, e-mail was retracted, etc.
• Send the Compliance Incident Report to OIT Compliance Office immediately.


After investigation, if notification of affected persons or mitigation is required, departments and/or individuals involved in the privacy breach may be asked to assist with the notification process and/or in mitigating the harmful effects.

The Compliance Hot-Line
Office: (801) 587-9241
Fax: (801) 587-9443
Pager: (801) 339-4357 (24x7)
Toll-Free: (866) 890-3361


E-Mail: compliance@utah.edu