How to Report a HIPAA Violation
How you report a HIPAA violation varies depending on the nature of the violation and whether you are a member of the public, a member of a covered entity’s workforce, or a covered entity. There are also various channels for reporting a HIPAA violation. These channels include the Privacy Officer at the organization where the violation occurred, your State Attorney General, and HHS’ Office for Civil Rights.
It is important for all employees in the healthcare and healthcare insurance industries to understand what constitutes a HIPAA violation and how to report a HIPAA violation. Understanding what constitutes a HIPAA violation should be included in HIPAA training, as should the correct person to direct a report to. This person then has the responsibility to determine whether or not the HIPAA violation should be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).
Potential HIPAA violations must be investigated internally by HIPAA Covered Entities and – where applicable – by Business Associates to determine the severity of the violation and whether it qualifies as a data breach. If the violation does qualify as a data breach, the violation should be assessed to ascertain the risk to individuals impacted by the incident, to ensure action is taken promptly to correct the violation, and to mitigate the risk of a reoccurrence. The sooner a HIPAA violation is reported, the easier it will be to limit the potential harm that may be caused and to prevent further violations of HIPAA Rules.
Reporting HIPAA Violations Internally
When healthcare or insurance professionals suspect a violation of HIPAA has occurred, the incident should be reported to a supervisor, the organization’s Privacy Officer, or to the individual responsible for HIPAA compliance in the organization.
The report will have to be investigated internally and a decision made about whether it is a reportable breach under provisions of the HIPAA Breach Notification Rule. Oftentimes, minor incidents do not result in impermissible disclosures of PHI or are so inconsequential that they do not warrant notifications to be issued – such as when minor errors are made in good faith or if PHI has been disclosed and there is little risk the information being retained.
Accidental HIPAA violations occur even when great care is taken by members of the workforce to work compliantly; and, if you have made a mistake, accidentally viewed PHI of a patient that you are not authorized to view, or another individual in your organization is suspected of violating HIPAA Rules, you should report HIPAA violations promptly. The failure to do so is likely to be viewed unfavorably if it is later discovered.
How to Report a HIPAA Violation to HHS’ Office for Civil Rights
It is also permitted for employees and patients to bypass notifying the Covered Entity and file a HIPAA complaint directly to HHS´ Office for Civil Rights (OCR) if it is believed that a Covered Entity has violated the HIPAA Privacy, Security, or Breach Notification Rules. In all cases, serious violations of HIPAA rules including potential criminal violations, willful/widespread neglect of HIPAA Rules, and multiple suspected HIPAA violations should be reported to the Office for Civil Rights directly.
HIPAA complaints can be submitted via the OCR’s Complaint Page, although OCR will also accept complaints via fax, mail, or email. Contact information for HIPAA violation reporting can be found on the above link.
In order for OCR to determine whether a violation is likely to have occurred, the reason for the HIPAA complaint should be stated along with the potential violation. Information will need to be supplied about the Covered Entity (or Business Associate), the date when the HIPAA violation is suspected of occurring, the address where the violation occurred – if known – and when the complainant learned of the possible HIPAA violation.
Complaints should be submitted within 180 days of the violation being discovered, although in certain cases, an extension to the HIPAA violation reporting time limit may be granted if there is good cause.
While complaints can be submitted anonymously, it is important to bear in mind that OCR will not investigate any HIPAA complaint if a name and contact information is not supplied.
All complaints will be read and assessed, and investigations into HIPAA complaints will be launched if HIPAA Rules are suspected of being violated and the complaint is submitted inside the 180-day timeframe.
Not all HIPAA violations result settlements or civil monetary penalties. Most often, issues are resolved through voluntary compliance, technical guidance, or if the Covered Entity or Business Associate agrees to take corrective action.
How to Report a HIPAA Violation: FAQs
Are these procedures just for employees of covered entities and business associates?
These procedures are not just for employees of covered entities and business associates. They apply for all members of the workforce, which can include volunteers, students, and agency personnel. Effectively, every person under a covered entity´s control – whether they are paid by the covered entity or not – should be told what constitutes a HIPAA violation and how to report it either to a supervisor, a compliance officer, or OCR directly.
What happens if I report a clear and ongoing violation to my supervisor, but they do nothing about it?
If you report a clear and ongoing violation to a supervisor and they do nothing about it, you should escalate the report to your compliance officer. If the compliance officer fails to take action, further escalate the report to OCR with an explanation that you have reported the violation to your supervisor and compliance officer, but no action appears to have been taken.
A colleague told me it could affect my work prospects if I report a HIPAA violation. Is this right?
It could affect your work prospects is you report a HIPAA violation that is not a violation because complying with any subsequent investigation will be seen as a waste of time and resources (if the complaint is not valid or justified) and will probably result in further training – possibly not just for you but also for other members of the workforce as well.
With regards to justified reports of HIPAA violations, the “compliance and investigations” section of the HIPAA Administrative Simplification provisions includes a standard (§160.316) that prohibits covered entities and business associates from taking any discriminatory or retaliatory action against any individual for filing a complaint to OCR or for assisting OCR´s investigation into the complaint. If your work prospects suffer as a result of reporting a HIPAA violation, you should report the retaliatory action to OCR.
How do I report a suspicion that a colleague is stealing PHI to sell?
If you suspect a colleague is stealing PHI to sell, you should report your suspicions to a supervisor or the compliance manager in the same way you would report a HIPAA violation. If the suspicion is confirmed, the usual course of action is for the compliance manager to report the event to OCR who will consider whether it justifies criminal investigation; and, if so, forward the report to the Department of Justice.
How long do you have to report a HIPAA violation and is it necessary to report violations of HIPAA within 180 days?
You have 180 days to report a HIPAA violation to HHS´ Office for Civil Rights (OCR), but timeframes can differ if you wish to report a HIPAA violation to a covered entity or a state Attorney General. With regards to the 180 day limit, this exists not only to encourage timely reports of HIPAA violations, but also to reduce the risk of reports being duplicated (i.e., reported by more than one person) and to avoid OCR having to investigate historical violations that may have already been resolved following an internal audit or risk assessment.
How do members of the public go about reporting a HIPAA violation?
Members of the public go about reporting a HIPAA violation in the same way as members of a covered entity´s workforce. They can report a HIPAA violation to the covered entity´s HIPAA Privacy Officer (whose contact details should be on the organization´s Notice of Privacy Practices), to their state Attorney General, or directly to OCR via the online complaints portal.
Is reporting HIPAA violations effective?
Reporting HIPAA violations can be effective depending on the information included in the report. For example, if you report that an unnamed person disclosed unspecified information about someone whose name you can´t remember “sometime last year”, it is unlikely your report will be effective.
If, however, you provide sufficient information to justify an investigation, it is more likely the report will be acted upon. However, if you report a HIPAA violation to a covered entity´s Privacy Officer, and make it clear you are aware you also have the right to file a complaint with the state Attorney General or OCR, you may find the response to your report is expedited.
If you believe a privacy violation has taken place, who should you report it to?
If you believe a privacy violation has taken place, you should report it to the Privacy Officer responsible for HIPAA compliance at the organization where the violation occurred. If you fail to get an appropriate response, you can escalate the report to your state Attorney General or HHS´ Office for Civil Rights.
What is the process for HIPAA violation reporting?
The process for HIPAA violation reporting can vary according to who the report is made to, but generally:
The recipient of the report will acknowledge it and review the report to see if the event being alleged is actually a violation of HIPAA (two-thirds of reports received by HHS´ Office for Civil Rights are not HIPAA violations).
If the event does qualify as a HIPAA violation and there is sufficient information in the report to conduct an investigation, the recipient will look into the allegation. If not, they might write to you for further information.
When any investigation is complete, the outcome is most usually voluntary compliance or technical assistance to prevent the HIPAA violation reoccurring. This usually involves a change to policies and procedures and staff retraining.
If the nature of the HIPAA violation is serious, the organization responsible for the HIPAA violation may be fined; or, if the violation is criminal in nature, the case could be referred to the Department of Justice for prosecution.
How do you file a HIPAA complaint against an organization?
You can file a HIPAA complaint against an organization is several ways. You can either complain directly to the organization, file a HIPAA complaint with your state Attorney General, or contact HHS´ Office for Civil Rights. If the organization is a service provider (“Business Associate”) for a health plan or healthcare provider, you can also complain to the health plan or healthcare provider.
Where should I report HIPAA violations if I am the victim of a data breach?
If you are the victim of a data breach, you should report HIPAA violations to HHS´ Office for Civil Rights. However, before doing so, it is important to be sure the data breach is attributable to HIPAA violations by the organization you are reporting. It may be the case the breach is attributable to the negligence of another organization your health information was permissibly disclosed to. If you report HIPAA violations against the wrong organization, it may delay the resolution of your complaint.
How do you report a HIPAA violation?
You can report a HIPAA violation by contacting the Privacy Officer at the organization at which the violation occurred. The Privacy Officer´s contact details are on the organization´s Notice of Privacy Practices. If you feel your report is not being attended to in a timely manner, you can escalate the report to your state Attorney General and/or HHS´ Office for Civil Rights.
Whom should you report a possible PHI breach to?
In the first instance, you should report a possible PHI breach to the health plan or healthcare provider you believe is responsible for the breach. The organization will conduct an investigation and notify you if your PHI has indeed been breached. If you feel the organization is not responding to your report in a timely manner, you can report a possible PHI breach directly to HHS´ Office for Civil Rights.
What are the HIPAA violation reporting requirements?
The HIPAA violation reporting requirements relate to violations that result in breaches of unsecured PHI. All breaches of unsecured PHI have to be reported to the affected individuals within sixty days and to HHS´ Office for Civil Rights at the end of each year – unless the breach affects 500 or more individuals, in which case HHS´ Office for Civil Rights must be notified within sixty days.
How do I contact HIPAA about violations?
You don’t contact HIPAA about violations. HIPAA is a law regulated by the Department of Health & Human Services´ Office for Civil Rights and you can contact the agency directly if you believe the privacy or the security of your individually identifiable health information has been compromised by an organization’s non-compliance with HIPAA.
How do you report a nurse for a HIPAA violation?
To report a nurse for a HIPAA violation, the best person to contact is the Privacy Officer at the organization where the nurse is employed. The Privacy Officer´s contact details are on the Notice of Privacy Practices; and, when contacting them, you need to provide as much information as possible about the violation – especially if there has been an impermissible use or disclosure of PHI.
Who do you contact for a HIPAA violation by a pharmacy?
Who you contact for a HIPAA violation by a pharmacy can be either the pharmacy itself, the pharmacy´s head office (if it is part of a larger group), your state Attorney General, or HHS´ Office for Civil Rights. It may also be the case that the pharmacy is part of an Organized Health Care Arrangement, in which case you can contact the Arrangement´s HIPAA Privacy Officer.
How do you report HIPAA violations by home health workers?
You can report HIPAA violations by home health workers to the healthcare organization they are employed by. In most cases, the contact details of the person responsible for receiving reports is the HIPAA Privacy Officer. Their contact details should be on the Notice of Privacy Practices given to you when you first registered with the healthcare organization. If you cannot find your copy of the Notice of Privacy Practices, the Notice should also be published on the organization’s website.
In the event you have exhausted all reporting options within your organization, who can you report a HIPAA violation to?
In the event you have exhausted all reporting options within your organization, you can report a HIPAA violation to HHS´ Office for Civil Rights (OCR). Unfortunately, it is not possible to file a HIPAA complaint anonymously; however, §160.316 of HIPAA prohibits organizations taking discriminatory or retaliatory action against an individual filing a complaint with OCR.
What is the HIPAA violation reporting phone number?
The HIPAA violation reporting phone number is the number provided on the Notice of Privacy Practices provided to you by the healthcare organization or health plan you wish to file a complaint against (it will also be on their websites). If you want to report a HIPAA violation to a state Attorney General or HHS´ Office for Civil Rights you will have to write, email, or use an online portal.
What should you do if you suspect a compliance issue has occurred in a hospital?
If you suspect a compliance issue has occurred in a hospital you should raise your concerns with the hospital´s HIPAA Privacy Officer. In order for the Privacy Officer to investigate your concerns, it will be necessary for you to supply as much information as possible about why you suspect a compliance issue has occurred, when it took place, and who is responsible.
