What is the Procedure for Reporting a HIPAA Violation?

It is vital for all staff members in the healthcare sector to have a firm grasp of what a HIPAA violation is and how to report one. Comprehending what a HIPAA violation entails should be included in HIPAA training, as should the correct individual to direct the report it to – who then is charged with determining whether ot not the HIPAA violation report should be submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR).Possible HIPAA violations must be reviewed internally by HIPAA Covered Entities and – where applicable – their Business Associates to determine the extent of the breach, the danger to individuals affected by the incident, and to ensure action is taken swiftly to correct the breach and limit damage. The quicker a possible HIPAA violation is reported, the more straightforward it will be to restrict the potential harm that may be caused and to prevent further breaches of HIPAA Rules.

Reporting HIPAA Violations Internally

When healthcare or insurance workers feel a violation of HIPAA has taken place, the incident should be made known to a supervisor, the organization’s Privacy Officer, or to the individual charged with ensuring HIPAA compliance in the group.

HIPAA violations due to human error occur even when great care is taken by staff members. The HIPAA complaint will have to be reviewed internally and a decision taken regarding whether it is a reportable breach under provisions of the HIPAA Breach Notification Rule. In most cases, minor incidents are so small that they do not require notifications to be sent, such as when minor mistakes are made in good faith or if PHI has been disclosed and there is little danger of knowledge of PHI being recorded.

If you have committed a mistake, accidentally seen PHI of a patient that you do not have permission to view, or another person in your group is suspected of breaching HIPAA Rules, you should report HIPAA violations as quickly as possible. The failure to complete this is likely to be viewed unfavorably if it is later noticed.

Reporting a HIPAA Violation to HHS’ OCR

It is also acceptable for employees and patients to bypass alerting the covered body and make a HIPAA complaint directly with OCR if it is felt that a Covered Entity has breached the HIPAA Privacy, Security, or Breach Notification Rules. In all instances, serious breaches of HIPAA regulations including potential criminal violations, willful/widespread neglect of HIPAA Rules, and a number suspected HIPAA violations should be made known to the Office for Civil Rights.

HIPAA complaints can be sent to this body via the OCR’s Complaint Portal online,  although OCR will also accept complaints via fax, mail, or email. Contact details for HIPAA violation reporting can be found on the above link.

In order for OCR to come to a ruling as to whether a violation is likely to have taken place, the reason for the HIPAA complaint should be written stated along with the potential breach. Details will need to be supplied about the covered body (or business associate), the date when the HIPAA violation is thought to have taken place, the address where the violation happened – if known, and when the complainant became aware of the possible HIPAA breach.

Complaints should be filed within 180 days of the entity becoming aware of the breach, although in certain instances, an extension to the HIPAA violation reporting time limit may be allocated if there is a valid reason.

Though complaints can be filed anonymously, it is vital to bear in mind that OCR will not review any HIPAA complaint if a name and contact information is not provided.

All complaints will be considered, and investigations into HIPAA complaints will begin if HIPAA Rules are thought to have been breached and the complaint is filed inside the 180-day time limit.

Not every HIPAA violation leads to settlements or civil monetary fines. In some cases, the issue is settled through voluntary compliance, technical guidance, or if the covered organisation or business associate agrees to implement corrective measures.