Most healthcare group put a lot of work into ensuring they adhere with all relevant HIPAA Rules, but from time to time HIPAA regulations are breached by management or staff members. In such instances, a complaint can be submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR) – the chief enforcer of HIPAA Rules.
However, complaints will only lead to action being taken if the complaint is filed within 180 days of the date of discovery that HIPAA Rules were breached. In a small number of cases, when there is ‘good cause’ that it was not possible to file a complaint within 180 days, an extension may be given.
Note that OCR cannot look into any alleged violation of the HIPAA Privacy Rule that took place prior to April 14, 2003 or Security Rule violations that happened before April 20, 2005 due to the fact that compliance with those elements of HIPAA Rules were not mandatory prior to those dates.
How to Report a HIPAA Violation Anonymously
OCR investigates complaints from people who feel HIPAA Rules have been violated by a healthcare group. Anyone is permitted to file a complaint to OCR and an online compliant portal has been created for this very reason.
The online complaint portal contains all the information you require to file your complaint. A complaint portal assistant helps complainants determine whether OCR is in a position to review.
If you would like to report a HIPAA violation anonymously, and wish not to do so online, you can download a form from OCR and email, post, or fax your complaint to submit it.
You Have a Right to Anonymity When Filing a HIPAA Violation Complaint
It is not obligatory to give a name and contact information to OCR when filing a complaint, but OCR makes it clear that investigations against covered entities will not be kicked off due to any anonymous complaints of HIPAA violations. All complaints should have a name, signature, and contact details for the complainant.
OCR outlines that it is illegal for a HIPAA-covered entity to begin any retaliatory action against an individual that files a complaint about what is believed to be an alleged HIPAA violation. Should that happen, OCR must be made aware.
Even so, complainants may feel that they make be fired for submitting a complaint or that they face some action from colleagues for officially submitting a complaint about an perceived HIPAA violation.
In such instances, the complaint should not be filed anonymously. You should give your name and contact details and deny OCR consent to allow your identity or identifying information to be known. A consent form is included at the underside of the complaint form for this reason. If you do not provide consent, OCR will withhold personal information from the covered entity or business associate if the complaint is officially reviewed.
While it may be deemed that it is possible to report a HIPAA violation anonymously, not providing OCR consent to reveal your identity may hinder OCR’s investigation, could see any investigation slowed down, and may lead to the closure of the investigation without any action being taken against the covered entity involved.