HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Violation Reporting

There is no one-size-fits-all HIPAA violation reporting process because different organizations have different policies and procedures for reporting HIPAA violations, while the process for reporting violations to HHS´ Office for Civil Rights varies according to the nature of the violation and who is making the report.

There are many different types of HIPAA violations, but some are not as serious as others. For example, the failure to send periodic security reminders (an implementation specification of 45 CFR § 164.308) is a HIPAA violation, but it is unlikely to have as serious consequences as the theft of an unencrypted laptop containing the unsecured ePHI of twenty thousand patients.

Consequently, a single Covered Entity or Business Associate may have several HIPAA violation reporting processes depending on the nature and potential severity of the event. Similarly, the HHS´ Office for Civil Rights – the HIPAA enforcement agency – has three reporting processes through which organizations, members of the workforce, and patients can report a HIPAA violation.

HIPAA Violation Reporting by Employees

When a HIPAA violation is identified by a member of a Covered Entity´s or Business Associate´s workforce, the reporting process is determined by the organization´s HIPAA policies and procedures. Some organizations´ policies require a verbal report to an immediate supervisor or manager, while others require the violation to be reported in writing directly to the organization´s Privacy or Security Officer. In some HIPAA violation cases, the recipient of the report depends on the nature of the violation.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Some organizational policies include a process for escalating HIPAA violation reporting. Typically, if the immediate supervisor fails to address the violation, the report should be escalated to the Privacy or Security Officer. If the violation remains unaddressed, the report should be escalated to the HHS´ Office for Civil Rights. It is also possible to escalate reports to State Attorney Generals or through the courts by bringing a qui tam action against the Covered Entity or Business Associate.

HIPAA Violation Reporting by Patients

Most patients´ knowledge of HIPAA is limited to the information provided for them in a Notice of Privacy Practices. Consequently, patients should be aware of their HIPAA rights and how to report a violation of their rights – most often to the Covered Entity´s Privacy Officer (whose contact details should be on the Notice of Privacy Practices) or to the HHS´ Office for Civil Rights through the online complaints portal. Complaints using these channels have to made within six months of the violation.

If a patient witnesses a violation unrelated to their rights, the HIPAA violation reporting process varies slightly. Reports can be made to the organization´s Privacy Officer as before, to the HHS´ Office for Civil Rights via a different complaint portal (for Privacy Rule violations and Security Rule violations), or to State Attorney Generals via State Departments for Consumer Protection. However, federal and state agencies may require evidence of the violation before initiating an investigation.

Reporting Data Breaches to HHS´ Office for Civil Rights

Covered Entities and Business Associates are not required to report HIPAA violations unless they result in unauthorized access to – or acquisition, use, or disclosure of – unsecured PHI. Most HIPAA violations of this nature must be reported to individuals affected by the data breach and to the HSS´ Office for Civil Rights, unless it can be shown there is a low probability PHI has been compromised based on a four-point risk assessment or an exception to the reporting requirements exists.

The manner of HIPAA violation reporting to HHS´ Office for Civil Rights varies according to the number of individuals affected by the data breach. For data breaches affecting more than five hundred individuals, Covered Entities must notify HHS´ Office for Civil Rights within sixty days of the breach being identified. For breaches affecting fewer than five hundred individuals, Covered Entities can report these violations of HIPAA to HHS´ Office for Civil Rights on an annual basis.

Why You Shouldn´t Delay Reporting HIPAA Violations

There are multiple reasons why members of the workforce, patients, and Covered Entities should not delay reporting HIPAA violations. One of the most pressing reasons for members of the workforce – and supervisors, managers, and Privacy Officers – not to delay HIPAA violation reporting is that, if reports are delayed, no action will be taken to address them, and violations could develop into “cultural norms” which will be harder to reverse.

For the same reason, patients should not delay reporting HIPAA violations – notwithstanding that they only have a six month window for making a complaint – while the consequences of Covered Entities failing to report HIPAA violations in a timely manner can be substantial. In 2019, Sentara Hospitals had to pay a fine of $2.175 million as part of a settlement for failing to notify the HHS´ Office of Civil Rights of a data breach affecting 577 patients.

HIPAA Violation Reporting FAQs

What are the three HHS HIPAA violation reporting processes?

The three online HIPAA violation reporting processes are the primary complaints portal for patients to use when they believe their rights have been violation, the secondary complaints portal that can be used by patients and members of a Covered Entities workforce to report HIPAA violations unconnected to patients´ rights, and the breach notification portal for Covered Entities to report unauthorized access to – or acquisition, use, or disclosure of – unsecured PHI.

You can also contact HHS´ Office for Civil Rights via toll-free phone on 1-800-368-1019, via TDD text on 1-800-537-7697, or via email to [email protected]

How might a patient witness a violation unrelated to their rights?

There are multiple ways in which a patient could witness a violation unrelated to their rights. They could overhear two medical professionals discussing another patient´s treatment, see paper charts or notes relating to another patient´s care, or have sight of computer screens showing lists of patients and their conditions. Any of these events – and many more – are unauthorized disclosures of PHI that violate HIPAA.

What is a qui tam action against a Covered Entity?

A qui tam action is a legal action made by an individual against a federal contractor under the False Claims Act which alleges fraud against the government. In the context of HIPAA violation reporting, a member of a Covered Entity´s workforce – or a patient – can bring an action against a Medicare or Medicaid Covered Entity that fails to comply with HIPAA. While an extreme option for reporting HIPAA violations, plaintiffs receive a percentage of any fine issued against the Covered Entity.

What are the exceptions to the breach reporting requirements?

There are three exceptions. The first applies to unintentional “good faith” acquisitions or uses of PHI by a workforce member provided the PHI will not be further used or disclosed without authorization. The second applies when a similar good faith acquisition occurs between a Covered Entity and a Business Associate. The third exception is when a good faith belief exists that the person to whom an impermissible disclosure was made will not have been able to retain the information.

Are Covered Entities required to report ransomware attacks as data breaches?

If a Covered Entity´s ePHI is not encrypted at the time a ransomware attack takes place, the HHS´ Office for Civil Rights considers this to be a reportable data breach because the attackers will have taken control of the unsecured ePHI and there is no way of knowing if data has been extracted. If ePHI is protected by encryption at the time a ransomware attack takes place, no unauthorized disclosure of unsecured ePHI occurs and there is no requirement to report the ransomware attack.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.