Share this article on:
Who should HIPAA complaints be directed to within the covered entity? Any healthcare employee who believes they have witnessed a HIPAA violation should report the incident internally. Typically, the person to report the violation to is your Privacy Officer, if your organization has appointed one.
Reporting Potential HIPAA Violations Internally
During your HIPAA training, you should have been told who should HIPAA complaints be directed to within the covered entity, and the procedures to follow for making complaints about potential HIPAA violations. Generally speaking, the HIPAA violation should be reported to the person in your organization who is responsible for HIPAA compliance, which is typically your Privacy Officer or CISO. You may feel more comfortable reporting the incident to your supervisor.
All HIPAA violations, even HIPAA violations that seem relatively minor, should be reported. They could be indicative of a wider problem, so it is important they are investigated internally. Accidental HIPAA violations should also be reported. It is better to own up to a minor HIPAA violation than for the violation to be reported by a colleague or to be discovered during an internal audit, or worse, by regulators.
A covered entity must investigate potential HIPAA violations and decide whether HIPAA Rules have been violated, and if so, whether the incident is reportable to the Department of Health and Human Services’ Office for Civil Rights (OCR) under the requirements of the HIPAA Breach Notification Rule. Not all breaches are reportable incidents (See this page for further information). To make that determination, a risk assessment will need to be conducted to determine whether an official breach notification is necessary.
The HIPAA Breach Notification Rule requires covered entities (and their business associates) to report HIPAA violations to OCR and there is a strict timescale for doing so. All breaches impacting more than 500 individuals must be reported as soon as possible, and certainly no later than 60 days following the discovery of the breach. Smaller breaches impacting fewer than 500 individuals can be reported annually, but no later than 60 days after the end of the calendar year in which the breach was discovered. However, breach notifications will need to be issued to affected patients within 60 days, regardless of how many individuals have been impacted by the breach.
When Should HIPAA Violations be Reported to OCR?
While all HIPAA violations should be reported internally, a complaint can be made to OCR about a HIPAA violation or potential HIPAA violation. You should note that an investigation will only be conducted by OCR if the complainant is named. OCR does not investigate anonymous complaints.