HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

What to Do if You Discover a HIPAA Violation in the Workplace

You suspect there has been a HIPAA violation in the workplace, should you report the violation? If so, how should you report the potential violation and who needs to be told?

Is it Necessary to Report a HIPAA Violation in the Workplace?

If you think you have accidentally violated HIPAA Rules or you believe a work colleague or your employer is failing to comply with HIPAA Rules, the potential violation(s) should be reported.

Since the publication of the HIPAA Enforcement Rule, HIPAA-covered entities can be financially penalized for HIPAA violations. If an uncorrected HIPAA violation is discovered during an investigation of a complaint, a data breach or HIPAA audit, the HHS’ Office for Civil Rights may choose to pursue a financial settlement to resolve the violation. Such actions are far less likely when a violation has been discovered internally and corrected to prevent a recurrence.

If a patient’s privacy has been violated, by reporting the violation internally you will allow your employer to take steps to reduce the potential for further harm and will be helping to ensure that similar incidents do not occur in the future.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Who Should be Notified About a Potential HIPAA Violation?

Healthcare employees who discover a HIPAA violation in the workplace should report the incident to their supervisor or their HIPAA Privacy Officer in the first instance. The HIPAA Privacy Officer will need to be notified of any HIPAA compliance failure as an investigation will need to be conducted, which should include a risk assessment.

The risk assessment will help the Privacy Officer determine whether the violation is a reportable incident. Not all internal violations of HIPAA Rules need to be reported, but the failure to notify the patient and OCR of a reportable breach of unsecured PHI could result in a financial penalty.

Action should also be taken to ensure that the cause of the breach is corrected. That may require updates to policies and procedures or further staff training.

There have been many cases of employees reporting HIPAA violations internally only for no actions to appear to be taken to address the issue. In such cases, the matter can be escalated and a complaint filed with the HHS’ Office for Civil Rights – the main enforcer of HIPAA Rules.

Filing a Complaint with the HHS’ Office for Civil Rights

OCR investigates complaints about potential HIPAA violations, but only if the complainant provides their name and contact details. Complaints can be submitted anonymously, although it is unlikely any further action will be taken. While many employees may be reluctant to provide such information, healthcare organizations are not permitted to take retaliatory action against individuals who report a HIPAA violation in the workplace.

Financial penalties for HIPAA violations are typically only issued when there has been a willful violation of the HIPAA Rules, although penalties are possible for violations that have occurred through negligence or ongoing compliance failures. However, in many cases, HIPAA violations are resolved through voluntary compliance or by OCR providing technical assistance.

FAQs about Reporting a HIPAA Violation in the Workplace

What happens if I am not an employee, but I see a HIPAA violation in the workplace?

If you are not an employee, but still a member of a covered entity´s or business associate´s workforce (see definition of workforce in §160.103), you would follow the steps mentioned above. If you are a visitor to an organization subject to HIPAA regulations, you can raise the issue with the organization´s compliance officer or go directly to OCR.

When I raised a violation concern with my supervisor, I was told HIPAA didn´t apply. Can this be true?

This can depend on the type of organization you work for or the nature of the suspected violation. For example, healthcare activities in some educational institutions are not covered by HIPAA, while some disclosures of PHI are permitted by the Privacy Rule even when they might appear to violate HIPAA – for example, disclosures to public health agencies.

Your best course of action is to ask your supervisor why HIPAA doesn´t apply to the suspected violation and use a third party source to confirm the supervisor´s response. It may be the case that your supervisor is misinformed about when HIPAA applies, and your violation concern may have to be escalated to the HIPAA Privacy Officer.

Should reporting violations be included in HIPAA training?

Yes – if you work for a HIPAA-covered entity. Covered entities are required to provide training on “policies and procedures with respect of PHI”; and, as a HIPAA violation is likely to concern an impermissible use or disclosure of PHI, training on how to identity and report a violation should be included in HIPAA training.

If you work for a business associate, your employer is only required to provide you with security and awareness training. Nonetheless, your employer is subject to areas of the Privacy and Breach Notification Rules, and it would be in their best interests to train all members of the workforce on how to identify and report violations of HIPAA.

Why doesn´t HHS´ Office for Civil Rights investigate anonymous reports?

Although reporters and complainants may wish to remain anonymous, if HHS´ Office for Civil Rights investigated anonymous reports, it could lead to an increase in false reports and unjustified complaints – stretching the Office for Civil Rights´ resources and potentially reducing the amount of technical assistance available for organizations that need it.

Additionally, the Privacy Rule protects genuine reporters and complainants from retaliation under §160.316. Under this standard, a covered entity or business associate “may not threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action against any individual or other person” who:

  • Files a complaint or reports a HIPAA violation,
  • Assists in an investigation into the complaint/report, or
  • Refuses to take an action that would violate HIPAA.

How do I go about reporting a whole team that is not compliant with HIPAA?

Sometimes, teams take short cuts with HIPAA compliance “to get the job done” and, when the short cuts are allowed to continue, a “culture of non-compliance” can develop. In such circumstances, it is still a good idea to initially report your concerns to your supervisor unless you have concerns that this may affect your standing among your colleagues.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.