Internal Reporting of HIPAA Violations
When healthcare or insurance workers feel that a violation of HIPAA has taken place, the incident should be made known to a supervisor, the group’s Privacy Officer, or to the individual responsible for ensuring HIPAA compliance in the group.
HIPAA violations due to human mistakes take place even when great care is taken by employees. The HIPAA complaint will have to be looked at internally and a decision taken regarding whether it is a reportable breach under provisions of the HIPAA Breach Notification Rule. In most instances, minor incidents are so small that they do not require notifications to be sent, such as when minor errors are made in good faith.
If you have made a mistake, accidentally seen PHI of a patient that you do not have permission to access, or another person in your group is suspected of breaching HIPAA Rules, you should make HIPAA violations known as quickly as possible. If you do not do this it is likely to be viewed unfavorably when the breach is later noticed.
Officially Reporting a HIPAA Violation to OCR
It is also acceptable for employees and patients to bypass the covered entity and make a HIPAA complaint straight to OCR if it is felt that a Covered Entity has breached the HIPAA Privacy, Security, or Breach Notification Rules. In every instances, serious breaches of HIPAA regulations including potential criminal penalties, willful/widespread neglect of HIPAA Rules, and a number suspected HIPAA breaches should be submitted to the Office for Civil Rights.
HIPAA complaints can be submitted using the OCR’s Complaint Portal online, although OCR will also accept complaints via fax, mail, or email. Contact details for HIPAA violation reporting can be located at the above link.
In order for OCR to issue a ruling as to whether a violation is likely to have occurred, the reason for the HIPAA complaint should be stated along with the possible breach. Details will need to be supplied about the covered body (or business associate), the date when the HIPAA violation is thought to have occurred, the address where the violation happened – if known – and when the complainant became knowledgeable of the possible HIPAA breach.
Complaints should be submitted within 180 days of the entity becoming conscious of the breach; although in certain instances an extension to the HIPAA violation reporting time restriction may be allocated if there is a valid reason.
Though complaints can be submitted anonymously, it is vital to bear in mind that OCR will not investigate any HIPAA complaint if a name and contact information is not given.
All complaints will be looked in and investigations into HIPAA complaints will be kicked off if HIPAA Rules are thought to have been breached and the complaint is submitted inside the 180-day time limit.
Not every HIPAA violation results in settlements or civil monetary fines. In some instances, the issue is settled through voluntary compliance, technical assistance, or if the covered organisation or business associate agrees to implement corrective steps.