If you think that a HIPAA violation occurred in your workplace, would you report it? How and to whom? If by accident you have violated HIPAA Rules or perhaps someone in your workplace, a colleague or your boss, is violating HIPAA Rules, it is vital that you report the potential violation(s).
Since the HIPAA Enforcement Rule was enacted, a financial penalty can be issued on covered entities that defy the HIPAA Rules. When a complaint or data breach is investigated and the HHS’ Office for Civil Rights finds an unresolved HIPAA violation, OCR issue pursue financial penalties. Having said that, it is possible to avoid or reduce a penalty if the violation was identified internally and was resolved.
Just in case there is patient privacy violation, reporting the violation internally will allow your employer to take action to reduce the chances that the patient would suffer harm and to avert any more identical privacy breaches.
Who Should Be Notified of a Potential HIPAA Violation?
When healthcare employees know about a HIPAA violation occurring at work, they should report it either to their boss or a HIPAA Privacy Officer. The HIPAA Privacy Officer needs to know all cases of HIPAA compliance failure and must perform an investigation, including a risk assessment.
The risk assessment will tell the Privacy Officer if the violation is reportable or not. Some internal HIPAA Rules violations are reportable and some are not. But in case the covered entity fails to inform OCR of a reportable HIPAA violation, there could be financial penalties issued.
The covered entity need to do something to resolve the reason for the violation. Update of policies and procedures or additional employee training may be needed. In a lot of instances that employees report HIPAA violations in house, the company doesn’t do anything to fix the issue. In such instances, the matter ought to be made known to the HHS’ Office for Civil Rights.
What is the Procedure for Filing a HIPAA Complaint with the OCR?
OCR will investigate complaints received regarding potential HIPAA violations, but only if the complainant provides his/her name and contact details. If submitted anonymously, the complaint will not be acted upon. A lot of employees may not like to provide their contact information when submitting violation reports, even if the law does not allow healthcare organizations to get back on the persons who reported potential HIPAA violations at work.
OCR generally issues financial penalties only for willful HIPAA violations or when HIPAA violations result from negligence. In many instances, HIPAA violations are resolved through voluntary compliance such as when the healthcare organization agrees to take steps to avoid even more violations. Thus, reporting HIPAA violations is very important.