Share this article on:
You suspect there has been a HIPAA violation in the workplace, should you report the violation? If so, how should you report the potential violation and who needs to be told?
Is it Necessary to Report a HIPAA Violation in the Workplace?
If you think you have accidentally violated HIPAA Rules or you believe a work colleague or your employer is failing to comply with HIPAA Rules, the potential violation(s) should be reported.
Since the passing of the HIPAA Enforcement Rule, HIPAA-covered entities can be financially penalized for HIPAA violations. If an uncorrected HIPAA violation is discovered during an investigation of a complaint, a data breach or HIPAA audit, the HHS’ Office for Civil Rights may choose to pursue a financial settlement to resolve the violation. Such actions are far less likely when a violation has been discovered internally and corrected to prevent a recurrence.
If a patient’s privacy has been violated, by reporting the violation internally you will allow your employer to take steps to reduce the potential for further harm and will be helping to ensure that similar incidents do not occur in the future.
Who Should be Notified About a Potential HIPAA Violation?
Healthcare employees who discover a HIPAA violation in the workplace should report the incident to their supervisor or their HIPAA Privacy Officer in the first instance. The HIPAA Privacy Officer will need to be notified of any HIPAA compliance failure as an investigation will need to be conducted, which should include a risk assessment.
The risk assessment will help the Privacy Officer determine whether the violation is a reportable incident. Not all internal violations of HIPAA Rules need to be reported, but the failure to notify the patient and OCR of a reportable breach could result in a financial penalty.
Action should also be taken to ensure that the cause of the breach is corrected. That may require updates to policies and procedures or further staff training.
There have been many cases of employees reporting HIPAA violations internally only for no actions to appear to be taken to address the issue. In such cases, the matter can be escalated and a complaint filed with the HHS’ Office for Civil Rights – The main enforcer of HIPAA Rules.
Filing a Complaint with the HHS’ Office for Civil Rights
OCR investigates complaints about potential HIPAA violations, but only if the complainant provides their name and contact details. Complaints can be submitted anonymously, although it is unlikely any further action will be taken. While many employees may be reluctant to provide such information, healthcare organizations are not permitted to take retaliatory action against individuals who report a HIPAA violation in the workplace.
Financial penalties for HIPAA violations are typically only issued when there has been a willful violation of HIPAA Rules, although penalties are possible for violations that have occurred through negligence.
In many cases, HIPAA violations are resolved through voluntary compliance or by OCR providing technical assistance.