The Health Insurance Portability and Accountability Act, commonly called HIPAA, is legislation that governs a number of aspects of the healthcare industry, mostly related to information privacy and security, and preventing healthcare fraud, but how should HIPAA violations be reported and who should they be reported to?

Why Should HIPAA Violations be Reported?

If HIPAA covered entities or their business associates violate HIPAA Rules, or are suspected of violating HIPAA Rules, this should be reported. HIPAA violations are often caused by human error or misunderstandings of how HIPAA should be applied to protected health information (PHI) or other elements. More rarely, violations can be caused by willful negligence or malicious action. Covered entities responsible for violations may not even be aware that they are acting outside of the HIPAA regulations, or that some action has resulted in an information breach.

Known or discovered violations should be reported. Reporting violations means they can be investigated if needed, which can help resolve the issue and potentially prevent it from occurring again. Reporting HIPAA violations also allows the affected patients to be identified so that they can be notified and take action to minimize any harm that could result from the release of their information.

Who Should HIPAA Violations be Reported to?

Who HIPAA violations should be reported to depends somewhat on your role in the healthcare sector. Optimally, for employees, any violation or suspected violation should first be reported to your organization’s Compliance Officer. If this is not possible or if your organization does not have a Compliance Officer, reports can be made to supervisors or managers. This course of action allows the covered entity the opportunity to immediately take action to address and correct the violation or breach.

Should the covered entity fail to take appropriate action, or if the employee prefers, they can report the violation or suspected violation directly to the Department of Health and Human Services’ Office of Civil Rights (OCR). The OCR is the primary enforcer of HIPAA Rules, along with state attorneys general. For the OCR to take action, the complaint should include specific details on the suspected breach or violation. Information should be kept as relevant as possible and include the date or dates of violations, if the violation is still occurring, and when the issue was first discovered. Reports should be made within 180 days of the discovery of the breach as the OCR will not take action after this delay, except in certain exceptional circumstances where a “good cause” for the delay can be shown.

Should patients wish to report HIPAA violations or suspected violations, they should first make a formal complaint to the covered entity concerned. This gives the organization the opportunity to conduct an internal examination of the issue and potentially take corrective action. The complaint should be addressed to the organization’s Compliance Officer, if possible. As it is the duty of Compliance Officers to design, implement, and monitor a covered entity’s HIPAA compliance, they will be the ones most likely to investigate the incident and try to fix the problem. Patients should be aware that not all covered entities have dedicated Compliance Officers; smaller companies may assign the Compliance Officer role to another employee who carries out this function in addition to other responsibilities. Organizations of any size may have outsourced their Compliance Officer’s functions to an external third party.

Patients can also report their complaints directly to the OCR as they are under no obligation to contact the covered entity first. Should patients decide to take this direct route, the report can be made via the OCR’s dedicated online complaint portal or by submitting a complaint form that can be sent by email, postal mail, or fax. Once again, complaints or reports of suspected HIPAA violations must be made within 180 days of discovery of the problem. Precise information such as dates should be included if known, with the overall report being made in as concise and relevant a manner as possible. The OCR will then consider the complaint and determine whether the information therein points to a potential HIPAA violation that warrants further investigation.

Anyone can make a complaint or report a HIPAA violation anonymously. It should be noted, however, that the OCR has stated that they will not commence an investigation into a covered entity  unless the complainant is named and has provided contact details.

There are provisions made to protect those who make complaints or report HIPAA violations. The OCR must be notified if covered entities try to take retaliatory action against complainants, as this is illegal. Should individuals fear reprisals, they can still make their complaint providing their name and contact details, but deny the OCR consent to reveal their identity or identifying information. In these cases, the OCR can investigate the covered entity or organization without providing any identifying details to the party under investigation.

It is strongly advised that HIPAA violation reports include the details of the reporter, as anonymous complaints may not lead to investigations. With-holding permission to reveal complainants’ identity may also slow an investigation, potentially leading to further HIPAA violations or more PHI being exposed.