It is vital that healthcare and healthcare insurance workers are knowledgeable in relation to what constitutes a HIPAA violation and how to report a HIPAA violation. Knowing what constitutes a HIPAA violation should be included in the Covered Entity´s HIPAA training, as should the proper person to direct the report to – who then must rule whether ot not the HIPAA violation should be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).
Possible HIPAA violations must be looked into internally by HIPAA Covered Entities and – where applicable – their Business Associates to discover the extent of the breach, the danger to individuals impacted by the incident, and to ensure action is taken swiftly to address the violation and mitigate risk. The quicker a potential HIPAA violation is reported, the easier it will be to limit the potential harm that may be caused and to stop further violations of HIPAA Rules.
Reporting HIPAA Violations Inside an Organization
When healthcare or insurance professionals think that a violation of HIPAA may have taken place, the incident should be made known to a supervisor, the organization’s Privacy Officer, or to the individual responsible for HIPAA compliance in the group.
Accidental HIPAA violations take place even when great care is taken by employees. The HIPAA complaint will have to be investigated internally and a decision made about whether it is a reportable breach under provisions of the HIPAA Breach Notification Rule. Usually, minor incidents are so inconsequential that they do not need notifications to be issued, such as when minor mistakes are made in good faith or if PHI has been disclosed and there is little danger of knowledge of PHI being held.
If you have made a mistake, or in error viewed PHI of a patient that you are not allowed to view, or another person in your organization is suspected of violating HIPAA Rules, you should report HIPAA violations as quick as you can. The failure to do so is likely to be viewed unfavorably if it is later noticed.
How to Submit a Report of a HIPAA Violation to HHS’ Office for Civil Rights
It is also permissible for employees and patients to skip notifying the covered entity and make a HIPAA complaint directly with OCR if it is thought that a Covered Entity has breached the HIPAA Privacy, Security, or Breach Notification Rules. In all instances, serious breaches of HIPAA rules including potential criminal breaches, willful/widespread neglect of HIPAA Rules, and multiplepossibled HIPAA violations should be reported to the Office for Civil Rights directly.
HIPAA complaints can be sent to the OCR’s Complaint Portal online, although OCR will also accept complaints via fax, mail, or email. Contact details for HIPAA violation reporting can be found on the above link.
So that OCR can determine whether a violation is likely to have taken place, the reason for the HIPAA complaint should be written alongside the potential violation. Information will need to be supplied regarding the covered entity (or business associate), the date when the HIPAA violation is thought to have taken place, the address where the violation occurred – if known, and when the complainant learned of the possible HIPAA breach.
Complaints should be sent inside of 180 days of the violation being noticed, although in certain cases, an extension to the HIPAA violation reporting time limit may be granted if there is good reason for this.
While complaints can be sent in anonymously, it is crucial to bear in mind that OCR will not look into any HIPAA complaint if a name and contact information is not given.
All complaints will be read and reviewed, and investigations into HIPAA complaints will be kicked off if HIPAA Rules are thought to have been breached and the complaint is submitted inside of the 180-day timeframe.
Not all HIPAA violations lead to settlements or civil monetary fines. In a lot of cases, the issue is resolved through voluntary compliance, technical guidance, or if the covered entity or business associate agrees to take remedial action.