If you feel you have accidentally breached HIPAA Rules or you believe a co-worker or your employer is failing to adhere with HIPAA Rules, the potential violation(s) should be made known to the relevant bodies.
Since the introduction of the HIPAA Enforcement Rule, HIPAA-covered groups can be financially penalized for HIPAA violations. If an unaddressed HIPAA violation is discovered during an investigation of a complaint, a data breach or HIPAA review, the HHS’ Office for Civil Rights may choose to chase a financial settlement to resolve the violation. Such actions are far less likely when a breach has been discovered internally and corrected to prevent it happening again.
If a patient’s privacy has been breached, by reporting the violation internally you will empower your employer to take steps to lessen the potential for further harm and will be helping to ensure that similar incidents do not take place in the future.
Who Should be Alerted About a Possible HIPAA Violation?
Healthcare workers who discover a HIPAA violation in the workplace should make the incident known to their supervisor or their HIPAA Privacy Officer in the first instance. The HIPAA Privacy Officer will need to be made aware of any HIPAA compliance failure as a review will need to be conducted, which should incorporate a risk assessment.
The risk assessment will allow the Privacy Officer determine whether the violation is a reportable breach. Not all internal violations of HIPAA Rules need to be reported, but the failure to alert the patient and OCR of a reportable breach could lead to a financial penalty.
Steps should also be taken to make sure that the cause of the breach is addressed. That may require updates to policies and procedures or further staff training sessions.
There have been many instances of workers reporting HIPAA violations internally only for no steps to appear to be taken to address the issue. In such instances, the matter can be escalated and a complaint submitted with the HHS’ Office for Civil Rights – the main enforcer of HIPAA Rules.
Submitting a Complaint to the HHS’ Office for Civil Rights (OCR)
OCR looks into complaints about possible HIPAA violations, but only if the complainant gives their identity and contact details. Complaints can be filed anonymously, although it is unlikely any further action will occur. While many employees may be reluctant to give such information, healthcare groups are not permitted to take retaliatory action against individuals who report a HIPAA breach in the workplace.
Monetary fines for HIPAA violations are normally only issued when there has been a conscious violation of HIPAA Rules, although penalties are possible for violations that have occurred due to negligence.
In many instances, HIPAA breaches are addressed through voluntary compliance or by OCR providing technical assistance.