Greetings, Nadiia.That is a deceptive question. Short answer: it depends.Records can be disclosed without an authorization properly under many circumstances as well.Breaches happen. We are only human (and not all disclosures are breaches). If the breach was maliciously done, that is a good way to lose credentials and the possibility of obtaining them again, as it's a violation of every credential's code of ethics; almost certainly firing from your job as the fine for the facility isn't small, and quite probably blacklisted at least in the area as many will perform a check on you before hiring. Or even jail time which is public record. Most disclosures are not maliciously done.
Negligence is another aspect, and this also determines what penalties are exacted. Sadly this is a bit more broad as it contains everything from forgetting to secure PHI to accidentally going into a wrong chart (the latter is an example of a disclosure that isn't a breach). Once or twice is not great, but possibly acceptable. If it becomes habit then it becomes more of a problem as if breaches the fines gets more stringent.In terms of responsibility, if you did it, you are responsible. However so is the facility as you are acting on behalf of them.
Was there a specific kind of disclosure you were referring to?
Ah. Well, that would fall under a malicious breach, as it sounds like knew exactly what he was doing. Certainly slander. Potentially worth bringing suit to person and hospital, as well as a restraining order. Also to get an accounting of disclosures, and insist that he not go into your (or their) record. It also depends if in a similar position.
Certainly worth contacting at least the OCR regarding the breach. Something like that doesn't neccesarily preclude you from finding work as if the health system is willing to work with, nothing can really stop them, though OCR, JHACO and a few more acronyms would have words. but nepotism is a thing, as well. I know if it was me, or my daughter, I would be bringing brimstone but that's just me. Absolutely I would be contacting OCR, company leads, HIM Director and placing reviews everywhere I thought would reach. I personally find while an accidental breach can and will happen, something blatant like this is inexcusable, to my mind.