Reporting HIPAA Violations
If you think that HIPAA Rules have been breached by a HIPAA covered group – Healthcare providers, health plans, healthcare clearinghouses, business associates of covered entities and their subcontractors – the violation must be reported to allow an investigation to be conducted.
HIPAA violations frequently occur as a result of human mistake, a misunderstanding of HIPAA regulations, or in some cases, deliberate or willful violations of HIPAA Rules happen. A covered group or business associate may not be aware that a HIPAA violation has taken place, and should be given the chance to correct mistakes and stop similar violations from occurring going forward.
How Can Healthcare Staff Members Report HIPAA Violations?
If you work for a HIPAA-covered entity, who do you report HIPAA violations to? The complaint should be submitted to your HIPAA compliance officer, or failing that, the matter should be reported to your supervisor. This will give your employer the chance to act quickly to prevent any further violations of HIPAA Rules.
If action is not taken to address the issue, or if healthcare workers would rather bypass this step, they can submit a complaint to the Office for Civil Rights. In order for OCR to review the issue, OCR will need to be advised of the suspected violation and should be given with concise and specific information about the suspected breach, including when it occurred, if it is ongoing, and when it was noticed. Complaints must be submitted within 180 days of discovery of the breach, any later and OCR will not investigate. Extensions may be granted in some cases.
How Can Patients Report HIPAA Violations?
If you are a patient or health plan subscriber, who do you report HIPAA breaches to?
Firstly, a complaint should be lodged with the covered entity in question so an internal review can take place. Healthcare organizations designate a HIPAA compliance officer to manage their compliance obligations. This is likely to be a specific role in a large healthcare organization, or smaller healthcare providers may assign compliance duties to a staff member in tandem with their other duties. The complaint should be sent to the HIPAA compliance officer.
Complaints can also be submitted to the Office for Civil Rights. It is not an obligation to first report the incident to the covered entity. Patients can bypass this step file a complaint to OCR about a privacy violation or another type of HIPAA violation that they have discovered.
OCR will review complaints for HIPAA violations and will complete an investigation if there are grounds for a complaint. While anonymous complaints can be filed, OCR will only review complaints if the complainant is named and contact details are given. Complaints must be submitted within 180 days of discovery of the violation and the suspected HIPAA breach should be clearly stated, as briefly as possible.