Reporting a HIPAA Violation
When healthcare or insurance worker think that a violation of HIPAA has taken place, the incident should be reported to a supervisor, the group’s Privacy Officer, or to the individual responsible for HIPAA compliance in the group.
Accidental HIPAA violations take place even when great care is taken by employees. The HIPAA complaint will have to be reviewed internally and a decision made about whether it is a reportable breach under provisions of the HIPAA Breach Notification Rule. Some times, minor incidents are so inconsequential that they do not need notifications to be issued, such as when minor mistakes are made in good faith or if PHI has been shared and there is little risk of knowledge of PHI being retained.
If you have made a mistake, accidentally accessed PHI of a patient that you are not authorized to view, or another person in your group is suspected of breaching HIPAA Rules, you should report HIPAA violations promptly. The failure to do so is likely to be considered unfavorably if it is later discovered.
Reporting a HIPAA Violation to HHS’ Office for Civil Rights
It is also allowable for employees and patients to bypass notifying the covered entity and make a HIPAA complaint directly with OCR if it is though that a Covered Entity has violated the HIPAA Privacy, Security, or Breach Notification Rules. In all instances, serious breaches of HIPAA rules including potential criminal violations, willful/widespread neglect of HIPAA Rules, and multiple suspected HIPAA violations should be made known to the Office for Civil Rights directly.
HIPAA complaints can be file on OCR’s Complaint Portal online, although OCR will also accept complaints via fax, mail, or email. Contact information for HIPAA violation reporting can be located on the above link.
In order for OCR to determine whether a violation is likely to have taken place, the reason for the HIPAA complaint should be written stated along with the potential breach. Information will need to be given regarding about the covered entity (or business associate), the date when the HIPAA violation is suspected to have taken place, the address where the violation occurred – if known, and when the complainant learned of the possible HIPAA breach.
Complaints should be filed within 180 days of the violation being noticed, although in certain instances, an extension to the HIPAA violation reporting time limit may be granted if there is good cause.
While complaints can be submitted anonymously, it is important to remember that OCR will not investigate any HIPAA complaint if a name and contact information is not given.
All complaints will be reviewed and assessed, and investigations into HIPAA complaints will be initiated if HIPAA Rules are suspected of being breached and the complaint is submitted inside the 180-day timeframe.
Not all HIPAA breaches lead to settlements or civil monetary penalties. Some times, the issue is settled through voluntary compliance, technical guidance, or if the covered entity or business associate agrees to take corrective measures.