How long do you have to report a HIPAA violation?


How long do you have to report a HIPAA violation? If someone uncovers a HIPAA violation, do they have to report it immediately? And who should they report it to? We investigate these questions, and others, in this article. 

It is imperative that all HIPAA violations are reported within the workplace. The reasoning for this is twofold: it is required by HIPAA that all violations are reported in a timely manner, but it can also benefit the Covered Entity and Business Associates (CE and BA). If even minor violations are reported, then it can help prevent future, more serious violations and encourage workplace openness and honesty. Additionally, the quicker that more serious violations are reported, the easier it is to reduce the scope of the violation. 

The CE and BA must have clear procedures in place to ease the reporting process. The HIPAA Privacy Rule and HIPAA Security Rule require that CEs and BAs appoint a HIPAA Privacy and HIPAA Security Officer, respectively. In some smaller organizations, these can be combined into a single job of “HIPAA Compliance Officer”. These Compliance Officers also act as a point of contact for members of the public who have concerns about HIPAA compliance within the workplace. 

Employees should report all violations, whether they are accidental, incidental, or deliberate violations. Once the violation has been filed with the Compliance Officer, the Officer can then investigate the causes of the violation.

If a patient has a concern that they wish to file directly with the Office for Civil Rights, which oversees HIPAA enforcement, they must do so within 180 days of the incident of concern. This limit may be extended if there is just cause. 

All violations must be reported by the CE or BA to the OCR. The OCR can then investigate the violation and decide on a course of action. This may include a corrective action plan, a financial penalty, or even criminal prosecution. 

The Breach Notification Rule stipulates that, if a patient’s PHI has been accessed by an unauthorized individual, the CE or BA must notify that individual. If multiple patients’ data has been accessed, and more than 10 cannot be contacted, the CE or BA must place an advert in a local media source and maintain a notification on their website for 90 days after the breach has been announced. 

If more than 500 patients were affected by the breach, the OCR must be notified within 60 days of the breach’s discovery. Media sources servicing the local areas must also be notified. If breaches affect fewer than 500 patients, then an annual report can be given to the OCR.