When you are taking part in HIPAA training, you should have been informed who should HIPAA complaints be submitted to within the covered entity, and the procedures to follow for making complaints about possible HIPAA breaches. Generally speaking, the HIPAA breach should be submitted to the individual in your group who is responsible for HIPAA compliance, which is usually your Privacy Officer or CISO. You may feel more at ease reporting the incident to your supervisor.
All HIPAA breaches, even HIPAA breaches that seem relatively minor, should be reported. They could indicate that there is a wider issue, so it is important they are investigated internally. Accidental HIPAA breaches should also be reported. It is better to take responsibility for a minor HIPAA violation than for the breach to be reported by a colleague or to be discovered during an internal audit, or worse, by regulators.
A covered group must investigate potential HIPAA breaches and decide whether HIPAA Rules have been violated, and if so, whether the incident is reportable to the Department of Health and Human Services’ Office for Civil Rights (OCR) under the requirements of the HIPAA Breach Notification Rule. Not all HIPAA breaches are reportable incidents. To make that assertion, a risk assessment will need to be carried out to deduce whether an official breach notification is required.
The HIPAA Breach Notification Rule requires covered groups (and their business associates) to report HIPAA violations to OCR and there is a tight timescale for doing so. All breaches affecting more than 500 individuals must be reported as soon as possible, and certainly no later than 60 days after the identification of the breach. Smaller breaches impacting fewer than 500 people can be reported every year, but no later than 60 days after the end of the calendar year in which the breach was noticed. However, breach alerts will need to be issued to impacted patients within 60 days, regardless of how many individuals have been affected by the breach.
When Should HIPAA Breaches be Reported to OCR?
While all HIPAA breaches should be reported internally, a complaint can be submitted to OCR about a HIPAA breach or potential HIPAA breach. You should note that a review will only be carried out by OCR if the complainant is named. OCR does not look into anonymous complaints.