How to Report a HIPAA Violation Anonymously

In this post we explain how to report a HIPAA violation anonymously if you feel your (or someone else’s) privacy has been violated of if HIPAA Rules are not being followed in your organization.

When Can an Alleged HIPAA Violation be Reported?

Most healthcare organizations go to great lengths to ensure they are in compliance with HIPAA Rules, but occasionally HIPAA regulations are violated by management or employees. In such cases, a complaint can be lodged with the Department of Health and Human Services’ Office for Civil Rights (OCR) – the main enforcer of HIPAA Rules.

However, complaints will only result in action being taken if the complaint is submitted within 180 days of the date of discovery that HIPAA Rules were violated. In limited cases, when there is ‘good cause’ that it was not possible to file a complaint within 180 days, an extension may be granted.

Note that OCR cannot investigate any alleged violation of the HIPAA Privacy Rule that occurred before April 14, 2003 or Security Rule violations that occurred before April 20, 2005 because compliance with those elements of HIPAA Rules were not mandatory before those dates.

Report a HIPAA Violation Anonymously

OCR investigates complaints from individuals who believe HIPAA Rules have been violated by a healthcare organization. Anyone is permitted to submit a complaint to OCR and an online compliant portal has been developed for this purpose.

The online complaint portal contains all the information you need to submit your complaint. A complaint portal assistant helps complainants determine whether OCR is in a position to investigate.

If you want to report a HIPAA violation anonymously, and prefer not to do so online, you can download a form from OCR and email, post, or fax your complaint.

Your Right to Anonymity When Submitting a HIPAA Violation Complaint

It is not mandatory to supply a name and contact information to OCR when submitting a complaint, but OCR makes it clear that investigations against covered entities will not be initiated as a result of anonymous complaints of HIPAA violations. All complaints should include a name, signature, and contact information of the complainant.

OCR explains that it is illegal for a HIPAA-covered entity to take any retaliatory action against an individual that submits a complaint about an alleged HIPAA violation. Should that happen, OCR must be notified.

That said, complainants may feel that they make be terminated for making a complaint or that they face backlash from colleagues for officially submitting a complaint about an alleged HIPAA violation.

In such cases, the complaint should not be submitted anonymously. You should supply your name and contact details and deny OCR consent to reveal your identity or identifying information about you. A consent form is included at the bottom of the complaint form for this purpose. If you deny consent, OCR will withhold personal information from the covered entity or business associate if the complaint is investigated.

While in effect it is possible to report a HIPAA violation anonymously, not giving OCR consent to reveal your identity may impede OCR’s investigation, could see any investigation delayed, and may result in the closure of the investigation without any action being taken against the covered entity concerned.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.