Reporting HIPAA Violations

Every healthcare employee should know how to report a HIPAA violation, who they should report the violation to, and if the violation warrants a report to the Department of Health and Human Services’ Office for Civil Rights (OCR).

HIPAA covered entities and their business associates are obliged to investigate any possible HIPAA violation that occurs in order to assess the nature of the breach, the risk to people affected, and whether urgent action is required to fix the violation or reduce risk. The earlier a possible violation is found and reported, the simpler corrective action is likely to be.

How to Internally Report a HIPAA Violation

Should you think that a co-worker or your employer is violating or has violated HIPAA rules, the point of contact should be your supervisor, your Privacy Officer, or the person responsible for HIPAA compliance within your entity.

Accidental HIPAA violations can happen despite peoples’ best efforts. The violation should be examined internally to determine how it needs to be reported under the HIPAA Breach Notification Rule. Minor violations are often found to not warrant a notification being issued. This can happen if minor errors are made in good faith or if there is minimal risk of disclosed PHI being retained.

Should it occur that you accidentally view PHI belonging to a patient you do not have authorization to view, make some other mistake, or suspect someone else in your organization of having violated HIPAA, you should report it without delay. If you do not and this is found out at a later date, it could reflect very badly on you.

How to Report a HIPAA Violation to the HHS’ Office for Civil Rights

Staff and patients can report suspected HIPAA violations directly to the OCR, without passing through the covered entity, if it is thought that there has been a violation of the HIPAA Privacy, Security, or Breach Notification Rules. The OCR should be directly notified of all severe violations, such as possible criminal violations, deliberate or widespread neglect of HIPAA, or when multiple violations are thought to have occurred.

Reports can be made through OCR’s online portal or by letter, fax, or email.

The basis for the report should be stated, as well as the suspected HIPAA violation. Information on the covered entity or business associate should be included, as well as the date of the suspected violation, the location it took place, and the date on which the person reporting the incident became aware of it.

Complaints should be made within 180 days of discovery, although extensions may be accorded if there is a sufficiently strong reason.

Anonymous reports will not be investigated. The OCR requires a reporter’s name and contact details to pursue an investigation.

Complaints are reviewed and those thought to contain suspected violations are further investigated.

HIPAA violations do not always lead to settlements or financial sanctions. Complaints may be addressed through voluntary compliance, technical guidance, or by the covered entity or business associate agreeing to take corrective action.