Most healthcare groups go to great effort to ensure they are in compliance with HIPAA Rules, but sometimes HIPAA regulations are breached by management or employees. In such instances, a complaint can be submitted the Department of Health and Human Services’ Office for Civil Rights (OCR) – the main agency policing HIPAA Rules.
However, complaints will only lead to action being taken if the complaint is submitted within 180 days of the date of identification that HIPAA Rules were breached. In a small number of cases, when there is ‘good cause’ that it was not possible to submit a complaint within 180 days, an extension may be allowed.
Note that OCR cannot review any alleged violation of the HIPAA Privacy Rule that happened before April 14, 2003 or Security Rule violations that happened before April 20, 2005 because compliance with those elements of HIPAA Rules were not mandatory prior to those dates.
Anonymously Reporting HIPAA Violations
OCR looks into complaints from people who believe HIPAA Rules have been violated by a healthcare group. Anyone may submit a complaint to OCR and an online compliant website has been established for this very purpose.
The online complaint website has all the information you need to register your complaint. A complaint portal assistant helps complainants determine whether OCR can investigate.
If you wish to report a HIPAA violation anonymously, and prefer not to do so via the Internet, you can download a form from OCR and email, post, or fax your complaint directly.
The Individual’s Right to Anonymity When Filing a HIPAA Violation Complaint
It is not mandatory to give a name and contact information to OCR when filing a complaint, but OCR makes it clear that investigations against covered groups will not be initiated following anonymous complaints of HIPAA violations. All complaints must include a name, signature, and contact details of the complainant.
OCR says that it is against the law for a HIPAA-covered entity to take any retaliatory action against a person that files a complaint about an alleged HIPAA violation. Should that occur, OCR must be advised.
Even so, complainants may feel that they are in danger of being terminated for submitting a complaint or that they could face a backlash from co-workers for officially submitting a complaint about an alleged HIPAA breach.
If this happens, the complaint should not be sent anonymously. You should provide your name and contact details and deny OCR consent to reveal your identity or identifying information about you. A consent form is available at the bottom of the complaint form for this aim If you do not provide consent, OCR will keep personal information from the covered entity or business associate if the complaint is reviewed.
While in effect it is allowable to report a HIPAA breach anonymously, not providing OCR consent to reveal your identity may hinder OCR’s investigation, could see any investigation delayed, and may lead to in the closure of the investigation without any action being taken against the covered entity involved.