HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Who Should HIPAA Complaints be Directed to Within the Covered Entity?

Who should HIPAA complaints be directed to within the covered entity? Any healthcare employee who believes they have witnessed a HIPAA violation should report the incident internally. Typically, the person to report the violation to is your Privacy Officer, if your organization has appointed one.

Reporting Potential HIPAA Violations Internally

During your HIPAA training, you should have been told who should HIPAA complaints be directed to within the HIPAA covered entity, and the procedures to follow for making complaints about potential HIPAA violations. Generally speaking, the HIPAA violation should be reported to the person in your organization who is responsible for HIPAA compliance, which is typically your Privacy Officer or CISO. You may feel more comfortable reporting the incident to your supervisor.

All HIPAA violations, even HIPAA violations that seem relatively minor, should be reported. They could be indicative of a wider problem, so it is important they are investigated internally. Accidental HIPAA violations should also be reported. It is better to own up to a minor HIPAA violation than for the violation to be reported by a colleague or to be discovered during an internal audit, or worse, by regulators.

A covered entity must investigate potential HIPAA violations and decide whether HIPAA Rules have been violated, and if so, whether the incident is reportable to the Department of Health and Human Services’ Office for Civil Rights (OCR) under the requirements of the HIPAA Breach Notification Rule.  Not all breaches are reportable incidents (See this page for further information). To make that determination, a risk assessment will need to be conducted to determine whether an official breach notification is necessary.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The HIPAA Breach Notification Rule requires covered entities (and their business associates) to report HIPAA violations to OCR and there is a strict timescale for doing so. All breaches impacting more than 500 individuals must be reported as soon as possible, and certainly no later than 60 days following the discovery of the breach. Smaller breaches impacting fewer than 500 individuals can be reported annually, but no later than 60 days after the end of the calendar year in which the breach was discovered. However, breach notifications will need to be issued to affected patients within 60 days, regardless of how many individuals have been impacted by the breach.

When Should HIPAA Violations be Reported to OCR?

While all HIPAA violations should be reported internally, a complaint can be made to OCR about a HIPAA violation or potential HIPAA violation. You should note that an investigation will only be conducted by OCR if the complainant is named. OCR does not investigate anonymous complaints.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.