How to Report a HIPAA Violation

It is important that all worker in the healthcare industry have a firm grasp of what a HIPAA violation is and how to report one to the appropriate bodies.
Knowing what a HIPAA violation entails should be outlined in HIPAA training, as should the correct individual to direct a report it to – who then is responsible for determining whether or not the HIPAA violation report should be filed to the Department of Health and Human Services’ Office for Civil Rights (OCR). Potential HIPAA violations must be investigated by HIPAA Covered Entities and – where applicable – their Business Associates to determine the range of the breach, the danger to individuals impacted by the incident, and to ensure action is taken swiftly to remedy the breach and limit damage. If a breach is addressed soon after a HIPAA violation is reported, it becomes more simple to restrict the potential harm that may be caused and to prevent further breaches of HIPAA Rules.

Internal Reporting of HIPAA Violations

When healthcare or insurance workers feel that a violation of HIPAA has taken place, the incident should be made known to a supervisor, the group’s Privacy Officer, or to the individual responsible for ensuring HIPAA compliance in the group.

HIPAA violations due to human mistakes take place even when great care is taken by employees. The HIPAA complaint will have to be looked at internally and a decision taken regarding whether it is a reportable breach under provisions of the HIPAA Breach Notification Rule. In most instances, minor incidents are so small that they do not require notifications to be sent, such as when minor errors are made in good faith.

If you have made a mistake, accidentally seen PHI of a patient that you do not have permission to access, or another person in your group is suspected of breaching HIPAA Rules, you should make HIPAA violations known as quickly as possible. If you do not do this it is likely to be viewed unfavorably when the breach is later noticed.

Officially Reporting a HIPAA Violation to OCR

It is also acceptable for employees and patients to bypass the covered entity and make a HIPAA complaint straight to OCR if it is felt that a Covered Entity has breached the HIPAA Privacy, Security, or Breach Notification Rules. In every instances, serious breaches of HIPAA regulations including potential criminal penalties, willful/widespread neglect of HIPAA Rules, and a number suspected HIPAA breaches should be submitted to the Office for Civil Rights.

HIPAA complaints can be submitted using the OCR’s Complaint Portal online,  although OCR will also accept complaints via fax, mail, or email. Contact details for HIPAA violation reporting can be located at the above link.

In order for OCR to issue a ruling as to whether a violation is likely to have occurred, the reason for the HIPAA complaint should be stated along with the possible breach. Details will need to be supplied about the covered body (or business associate), the date when the HIPAA violation is thought to have occurred, the address where the violation happened – if known – and when the complainant became knowledgeable of the possible HIPAA breach.

Complaints should be submitted within 180 days of the entity becoming conscious of the breach; although in certain instances an extension to the HIPAA violation reporting time restriction may be allocated if there is a valid reason.

Though complaints can be submitted anonymously, it is vital to bear in mind that OCR will not investigate any HIPAA complaint if a name and contact information is not given.

All complaints will be looked in and investigations into HIPAA complaints will be kicked off if HIPAA Rules are thought to have been breached and the complaint is submitted inside the 180-day time limit.

Not every HIPAA violation results in settlements or civil monetary fines. In some instances, the issue is settled through voluntary compliance, technical assistance, or if the covered organisation or business associate agrees to implement corrective steps.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown