Reporting HIPAA Violations Internally
When healthcare or insurance workers believe a violation of HIPAA has taken place, the incident should be made known to a supervisor, the organization’s Privacy Officer, or to the individual charged with ensuring HIPAA compliance in the group.
HIPAA violations due to human error occur even when great care is taken by staff members. The HIPAA complaint will have to be reviewed internally and a decision taken regarding whether it is a reportable breach under provisions of the HIPAA Breach Notification Rule. In most cases, minor incidents are so small that they do not require notifications to be sent, such as when minor mistakes are made in good faith.
If you have committed a mistake, accidentally seen PHI of a patient that you do not have permission to view, or another person in your group is suspected of breaching HIPAA Rules, you should report HIPAA violations as quickly as possible. The failure to complete this is likely to be viewed unfavorably when the breach is later noticed.
Reporting a HIPAA Violation to HHS’ OCR
It is also acceptable for employees and patients to bypass the covered entity and make a HIPAA complaint directly with OCR if it is felt that a Covered Entity has breached the HIPAA Privacy, Security, or Breach Notification Rules. In all instances, serious breaches of HIPAA regulations including potential criminal violations, willful/widespread neglect of HIPAA Rules, and a number suspected HIPAA violations should be made known to the Office for Civil Rights.
HIPAA complaints can be sent to this body via the OCR’s Complaint Portal online, although OCR will also accept complaints via fax, mail, or email. Contact details for HIPAA violation reporting can be found on the above link.
In order for OCR to come to a ruling as to whether a violation is likely to have taken place, the reason for the HIPAA complaint should be stated along with the potential breach. Details will need to be supplied about the covered body (or business associate), the date when the HIPAA violation is thought to have taken place, the address where the violation happened – if known – and when the complainant became aware of the possible HIPAA breach.
Complaints should be filed within 180 days of the entity becoming aware of the breach; although in certain instances an extension to the HIPAA violation reporting time limit may be allocated if there is a valid reason.
Though complaints can be filed anonymously, it is vital to bear in mind that OCR will not review any HIPAA complaint if a name and contact information is not provided.
All complaints will be considered, and investigations into HIPAA complaints will begin if HIPAA Rules are thought to have been breached and the complaint is filed inside the 180-day time limit.
Not every HIPAA violation leads to settlements or civil monetary fines. In some cases, the issue is settled through voluntary compliance, technical guidance, or if the covered organisation or business associate agrees to implement corrective measures.