Investigate and respond to alleged violations of laws, regulations, contractual requirements and/or policies

Investigate and immediately respond to violations of policy and/or incidents that may involve the loss of, improper disclosure of, or improper access to personal health information (for example, the loss or theft of paper PHI; the loss or theft of a computer, smart-phone, hard disk or thumb drive storing ePHI, an electronic intrusion into a computer storing ePHI). Individuals who report violations must not be subjected to retaliation or harassment.

Investigate the reported violation and investigate security concerns identified through means other than a reported violation, including routine and targeted monitoring activities.

Source :
http://hipaa.yale.edu/sites/default/files/files/5100.pdf