Question: One of our nurses has been copying and taking home our physicians' daily schedules. Included in the schedule are patients' names, telephone numbers and their reasons for visiting. The schedules have been destroyed and no patient information appears to have been inappropriately viewed. What is our mitigation obligation under HIPAA? Answer: You have no mitigation obligation if no harm was caused by the employee's action, notes attorney Robyn Meinhardt of Foley & Lardner in Denver. Next step: You must determine the employee's level of culpability. "Ask yourself: Did she know this was against the rules?" Meinhardt says. The Bottom Line: While you do not need to mitigate this violation, you do need to figure out what went wrong in the situation and make sure it doesn't happen again. "Work through your sanction policy and do what is appropriate" for the situation, Meinhardt says.