Share this article on:
It is important for all healthcare employees to know how to report a HIPAA violation, the correct person to direct the complaint to, and whether the incident should be directed to the Department of Health and Human Services’ Office for Civil Rights (OCR).
Potential HIPAA violations must be investigated internally by HIPAA covered entities and their business associates to determine the severity of the breach, the risk to individuals impacted by the incident, and to ensure action is taken promptly to correct the violation and mitigate risk. The sooner a potential HIPAA violation is reported, the easier it will be to limit the potential harm that may be caused and to prevent further violations of HIPAA Rules.
How to Report a HIPAA Violation Internally
When healthcare professionals suspect a colleague or their employer has violated HIPA Rules, the incident should be reported to a supervisor, your organization’s Privacy Officer, or to the individual responsible for HIPAA compliance in your organization.
Accidental HIPAA violations occur even when great care is taken by employees. The incident will have to be investigated internally and a decision made about whether it is a reportable breach under provisions of the HIPAA Breach Notification Rule. Oftentimes, minor incidents are so inconsequential that they do not warrant notifications to be issued, such as when minor errors are made in good faith or if PHI has been disclosed and there is little risk of knowledge of PHI being retained.
If you have made a mistake, accidentally viewed PHI of a patient that you are not authorized to view, or another individual in your organization is suspected of violating HIPAA Rules, you should report the incident promptly. The failure to do so is likely to be viewed unfavourably if it is later discovered.
How to Report a HIPAA Violation to HHS’ Office for Civil Rights
It is also permitted for employees and patients to bypass notifying the covered entity and make a complaint directly with OCR if it is believed that a covered entity has violated the HIPAA Privacy, Security, or Breach Notification Rules. In all cases, serious violations of HIPAA Rules including potential criminal violations, willful/widespread neglect of HIPAA Rules, and multiple suspected HIPAA violations should be reported to the Office for Civil Rights directly.
Complaints can be submitted via the OCR’s Complaint Portal online, although OCR will also accept complaints via fax, mail, or email. Contact information can be found on the above link.
In order for OCR to determine whether a HIPAA violation is likely to have occurred, the reason for the complaint should be written stated along with the potential HIPAA violation. Information will need to be supplied about the covered entity (or business associate), the date when the HIPAA violation is suspected of occurring, the address where the violation occurred – if known, and when the complainant learned of the possible HIPAA violation.
Complaints should be submitted within 180 days of the violation being discovered, although in certain cases, an extension may be granted if there is good cause.
While complaints can be submitted anonymously, it is important to bear in mind that OCR will not investigate any HIPAA complaint if a name and contact information is not supplied.
All complaints will be read and assessed, and investigations into HIPAA complaints will be launched if HIPAA Rules are suspected of being violated and the complaint is submitted inside the 180-day timeframe.
Not all HIPAA violations result settlements or civil monetary penalties. Oftentimes, the issue is resolved through voluntary compliance, technical guidance, or if the covered entity or business associate agrees to take corrective action.