How to Report a HIPAA Violation
It is important for all employees in the healthcare and healthcare insurance industries to understand what constitutes a HIPAA violation and how to report a HIPAA violation. Understanding what constitutes a HIPAA violation should be included in the Covered Entity´s HIPAA training, as should the correct person to direct the report to – who then has the responsibility to determine whether ot not the HIPAA violation should be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).
Potential HIPAA violations must be investigated internally by HIPAA Covered Entities and – where applicable – their Business Associates to determine the severity of the breach, the risk to individuals impacted by the incident, and to ensure action is taken promptly to correct the violation and mitigate risk. The sooner a potential HIPAA violation is reported, the easier it will be to limit the potential harm that may be caused and to prevent further violations of HIPAA Rules.
Reporting HIPAA Violations Internally
When healthcare or insurance professionals suspect a violation of HIPAA has occurred, the incident should be reported to a supervisor, the organization’s Privacy Officer, or to the individual responsible for HIPAA compliance in the organization.
Accidental HIPAA violations occur even when great care is taken by employees. The HIPAA complaint will have to be investigated internally and a decision made about whether it is a reportable breach under provisions of the HIPAA Breach Notification Rule. Oftentimes, minor incidents are so inconsequential that they do not warrant notifications to be issued, such as when minor errors are made in good faith or if PHI has been disclosed and there is little risk of knowledge of PHI being retained.
If you have made a mistake, accidentally viewed PHI of a patient that you are not authorized to view, or another individual in your organization is suspected of violating HIPAA Rules, you should report HIPAA violations promptly. The failure to do so is likely to be viewed unfavorably if it is later discovered.
How to Report a HIPAA Violation to HHS’ Office for Civil Rights
It is also permitted for employees and patients to bypass notifying the covered entity and make a HIPAA complaint directly with OCR if it is believed that a Covered Entity has violated the HIPAA Privacy, Security, or Breach Notification Rules. In all cases, serious violations of HIPAA rules including potential criminal violations, willful/widespread neglect of HIPAA Rules, and multiple suspected HIPAA violations should be reported to the Office for Civil Rights directly.
HIPAA complaints can be submitted via the OCR’s Complaint Portal online, although OCR will also accept complaints via fax, mail, or email. Contact information for HIPAA violation reporting can be found on the above link.
In order for OCR to determine whether a violation is likely to have occurred, the reason for the HIPAA complaint should be written stated along with the potential violation. Information will need to be supplied about the covered entity (or business associate), the date when the HIPAA violation is suspected of occurring, the address where the violation occurred – if known, and when the complainant learned of the possible HIPAA violation.
Complaints should be submitted within 180 days of the violation being discovered, although in certain cases, an extension to the HIPAA violation reporting time limit may be granted if there is good cause.
While complaints can be submitted anonymously, it is important to bear in mind that OCR will not investigate any HIPAA complaint if a name and contact information is not supplied.
All complaints will be read and assessed, and investigations into HIPAA complaints will be launched if HIPAA Rules are suspected of being violated and the complaint is submitted inside the 180-day timeframe.
Not all HIPAA violations result settlements or civil monetary penalties. Oftentimes, the issue is resolved through voluntary compliance, technical guidance, or if the covered entity or business associate agrees to take corrective action.