Who Should HIPAA Complaints be Directed to Within the Covered Entity?
HIPAA complaints made to a covered entity should be directed to the organization’s Privacy Officer regardless of whether the complaint has been made by a member of the public who believes their privacy rights have been violated or by a member of the workforce reporting an internal violation. The process for members of the public should be included on the organization’s Notice of Privacy Practices, but the process for reporting potential HIPAA violations internally can differ.
Reporting Potential HIPAA Violations Internally
During your HIPAA training, you should have been told who should HIPAA complaints be directed to within the HIPAA covered entity, and the procedures to follow for making complaints about potential HIPAA violations. Generally speaking, the HIPAA violation should be reported to the person in your organization who is responsible for HIPAA compliance, which is typically your Privacy Officer or CISO. You may feel more comfortable reporting the incident to your supervisor.
All HIPAA violations, even HIPAA violations that seem relatively minor, should be reported. They could be indicative of a wider problem, so it is important they are investigated internally. Accidental HIPAA violations should also be reported. It is better to own up to a minor HIPAA violation than for the violation to be reported by a colleague or to be discovered during an internal audit, or worse, by regulators.
A covered entity must investigate potential HIPAA violations and decide whether HIPAA Rules have been violated, and if so, whether the incident is reportable to the Department of Health and Human Services’ Office for Civil Rights (OCR) under the requirements of the HIPAA Breach Notification Rule. Not all breaches are reportable incidents (See this page for further information). To make that determination, a risk assessment will need to be conducted to determine whether an official breach notification is necessary.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The HIPAA Breach Notification Rule requires covered entities (and their business associates) to report HIPAA violations to OCR and there is a strict timescale for doing so. All breaches impacting more than 500 individuals must be reported as soon as possible, and certainly no later than 60 days following the discovery of the breach. Smaller breaches impacting fewer than 500 individuals can be reported annually, but no later than 60 days after the end of the calendar year in which the breach was discovered. However, breach notifications will need to be issued to affected patients within 60 days, regardless of how many individuals have been impacted by the breach.
When Should HIPAA Violations be Reported to OCR?
While all HIPAA violations should be reported internally, a complaint can be made to OCR about a HIPAA violation or potential HIPAA violation. You should note that an investigation will only be conducted by OCR if the complainant is named. OCR does not investigate anonymous complaints.
