If you think that a HIPAA violation occurred in your workplace, would you report it? How and to whom? If by accident you have violated HIPAA Rules or perhaps someone in your workplace, a colleague or your boss, is violating HIPAA Rules, it is vital that you report the potential violation(s).
Since the HIPAA Enforcement Rule was enacted, a financial penalty can be issued on covered entities that defy the HIPAA Rules. When a complaint or data breach is investigated and the HHS’ Office for Civil Rights finds an unresolved HIPAA violation, OCR issue pursue financial penalties. Having said that, it is possible to avoid or reduce a penalty if the violation was identified internally and was resolved.
Just in case there is patient privacy violation, reporting the violation internally will allow your employer to take action to reduce the chances that the patient would suffer harm and to avert any more identical privacy breaches.
Who Should Be Notified of a Potential HIPAA Violation?
When healthcare employees know about a HIPAA violation occurring at work, they should report it either to their boss or a HIPAA Privacy Officer. The HIPAA Privacy Officer needs to know all cases of HIPAA compliance failure and must perform an investigation, including a risk assessment.
The risk assessment will tell the Privacy Officer if the violation is reportable or not. Some internal HIPAA Rules violations are reportable and some are not. But in case the covered entity fails to inform OCR of a reportable HIPAA violation, there could be financial penalties issued.
The covered entity need to do something to resolve the reason for the violation. Update of policies and procedures or additional employee training may be needed. In a lot of instances that employees report HIPAA violations in house, the company doesn’t do anything to fix the issue. In such instances, the matter ought to be made known to the HHS’ Office for Civil Rights.
What is the Procedure for Filing a HIPAA Complaint with the OCR?
OCR will investigate complaints received regarding potential HIPAA violations, but only if the complainant provides his/her name and contact details. If submitted anonymously, the complaint will not be acted upon. A lot of employees may not like to provide their contact information when submitting violation reports, even if the law does not allow healthcare organizations to get back on the persons who reported potential HIPAA violations at work.
OCR generally issues financial penalties only for willful HIPAA violations or when HIPAA violations result from negligence. In many instances, HIPAA violations are resolved through voluntary compliance such as when the healthcare organization agrees to take steps to avoid even more violations. Thus, reporting HIPAA violations is very important.
Reporting Violations at Work: FAQ
What is the difference between an accidental and incidental HIPAA violation?
Both accidental and incidental HIPAA violations are unintentional. However, accidental violations are usually the result of a mistake – for example, sending PHI to the incorrect email address. Incidental violations are the by-products of other, permissible disclosures. For example, if a nurse is bringing a patient into a waiting room, and the patient recognizes one of the other patients in the room, that would be considered to be an “incidental” exposure.
Should “near misses” be reported?
In many cases, it may be a good idea to report “near misses” to the HIPAA Privacy Officer. Though the near misses did not actually result in a HIPAA violation, they could be symptomatic of a larger issue that – in the future – could lead to a violation. Being aware of the weaknesses in an organization’s HIPAA compliance can help to protect against such violations.
Do Business Associates need a HIPAA Privacy Officer?
Yes, the HIPAA Privacy Rule requires that all Business Associates appoint a Privacy Officer to oversee HIPAA compliance. Failure to do so is a violation of HIPAA. However, in some small organizations, the roles of HIPAA Privacy Officer and HIPAA Security Officer may be combined as a HIPAA Compliance Officer. This Officer performs the same duties as each separate role.
What should an employee do if they report a HIPAA violation, but the CE chooses not to act?
Firstly, not all HIPAA violations require extensive investigations. If it was an incidental violation or even the result of a genuine accident, then the CE may choose not to instigate extensive corrective action plans. However, if the violation is more serious, and the employee has genuine concerns about HIPAA compliance, then they can submit a complaint with details of the violation to the Office for Civil Rights (which enforces HIPAA).