Anonymously Reporting a HIPAA Violation

To anonymously report a HIPAA violation, gather relevant information and submit a complaint through the Office for Civil Rights (OCR) online complaint portal or by mail without disclosing personal details. Gather all pertinent information regarding the incident, such as dates, individuals involved, and a description of the violation. Contact the Office for Civil Rights (OCR) through their online complaint portal or submit a written complaint by mail, ensuring that you do not disclose any personal information that could identify you.

Step Description
Gather Information Collect relevant details about the HIPAA violation, including dates, individuals involved, and incident description.
Contact the Office for Civil Rights (OCR) Reach out to the OCR through their online complaint portal or submit a written complaint by mail without disclosing personal information.
Protect Your Identity Ensure that you do not include any personal details that could potentially identify you when describing the HIPAA violation.
Use Anonymous Reporting Channels Whenever possible, utilize anonymous reporting channels provided by the OCR to maintain your anonymity.
Consult with Legal Counsel (Optional) Consider seeking legal advice to understand your rights, potential risks, and ensure your anonymity throughout the reporting process.
Preserve Evidence If feasible, gather any supporting evidence such as documents, emails, or photographs that can substantiate the reported HIPAA violation.
Follow Up with OCR If desired, periodically follow up with the OCR to inquire about the progress of the investigation or any additional information required.

Table: Steps in Anonymously Reporting HIPAA Violations

HIPAA Violation Reporting

Most healthcare groups go to great effort to ensure they are in compliance with HIPAA Rules, but sometimes HIPAA regulations are breached by management or employees. In such instances, a complaint can be submitted the Department of Health and Human Services’ Office for Civil Rights (OCR) – the main agency policing HIPAA Rules.

However, complaints will only lead to action being taken if the complaint is submitted within 180 days of the date of identification that HIPAA Rules were breached. In a small number of cases, when there is ‘good cause’ that it was not possible to submit a complaint within 180 days, an extension may be allowed.

Note that OCR cannot review any alleged violation of the HIPAA Privacy Rule that happened before April 14, 2003 or Security Rule violations that happened before April 20, 2005 because compliance with those elements of HIPAA Rules were not mandatory prior to those dates.

Anonymously Reporting HIPAA Violations

OCR  looks into complaints from people who believe HIPAA Rules have been violated by a healthcare group. Anyone may submit a complaint to OCR and an online compliant website has been established for this very purpose.

The online complaint website has all the information you need to register your complaint. A complaint portal assistant helps complainants determine whether OCR can investigate.

If you wish to report a HIPAA violation anonymously, and prefer not to do so via the Internet, you can download a form from OCR and email, post, or fax your complaint directly.

The Individual’s Right to Anonymity When Filing a HIPAA Violation Complaint

It is not mandatory to give a name and contact information to OCR when filing a complaint, but OCR makes it clear that investigations against covered groups will not be initiated following anonymous complaints of HIPAA violations. All complaints must include a name, signature, and contact details of the complainant.

OCR says that it is against the law for a HIPAA-covered entity to take any retaliatory action against a person that files a complaint about an alleged HIPAA violation. Should that occur, OCR must be advised.

Even so, complainants may feel that they are in danger of being terminated for submitting a complaint or that they could face a backlash from co-workers for officially submitting a complaint about an alleged HIPAA breach.

If this happens, the complaint should not be sent anonymously. You should provide your name and contact details and deny OCR consent to reveal your identity or identifying information about you. A consent form is available at the bottom of the complaint form for this aim If you do not provide consent, OCR will keep personal information from the covered entity or business associate if the complaint is reviewed.

While in effect it is allowable to report a HIPAA breach anonymously, not providing OCR consent to reveal your identity may hinder OCR’s investigation, could see any investigation delayed, and may lead to in the closure of the investigation without any action being taken against the covered entity involved.

About Elizabeth Hernandez
Elizabeth Hernandez is a reporter for ComplianceHome. Elizabeth Hernandez is a journalist with a focus on IT compliance and security. She combines her knowledge in information technology and a keen interest in cybersecurity to report on issues related to IT regulations and digital security. Elizabeth's work often touches on topics like GDPR, HIPAA, and SOC 2, exploring how these regulations affect businesses and individuals. Elizabeth emphasizes the significance compliance regulations in digital security and privacy.