HIPAA violations are reported by documenting the facts, notifying the appropriate internal privacy or security officials, following the organization’s incident response and breach assessment procedures, and when applicable submitting a complaint to the Office for Civil Rights at the Department of Health and Human Services or reporting a breach through the required HHS breach reporting process, with separate reporting pathways for workforce misconduct, Business Associate incidents, and criminal conduct.
A workforce member who observes an impermissible use or disclosure of protected health information, a suspected security incident, or a failure to follow required safeguards should report the concern through the organization’s designated channel, which is often the privacy officer, security officer, compliance officer, or an established hotline or ticketing process. The report should include what occurred, the date and time, the individuals involved, the systems or locations affected, the type of information involved, and whether the information was accessed, acquired, used, or disclosed. The organization should preserve evidence such as email headers, access logs, screenshots, device identifiers, and relevant policies or procedures, while limiting internal sharing to staff with an assigned role in investigation and mitigation.
The organization’s response should align with documented procedures under the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule. For suspected disclosures, the organization should evaluate whether the action was permitted or required, whether the HIPAA Minimum Necessary Rule was followed when applicable, and whether safeguards were in place and used. For suspected security events, the organization should evaluate whether electronic protected health information was involved, whether authentication or access controls were bypassed, and whether there is evidence of unauthorized access. Corrective actions should be documented and may include workforce retraining, technical remediation, access changes, sanctions consistent with policy, and updates to procedures when failures indicate a control gap.
When an incident may involve a breach of unsecured protected health information, the organization should complete the breach risk assessment required by the HIPAA Breach Notification Rule. If the assessment determines that breach notification is required, the covered entity must notify affected individuals without unreasonable delay and within the required time limits, and must also report the breach to HHS using the appropriate reporting method based on the number of affected individuals. Business Associates must notify the covered entity of breaches of unsecured protected health information consistent with the business associate agreement and regulatory requirements so the covered entity can meet its notification duties.
Patients and members of the public can report suspected HIPAA violations by filing a complaint with the HHS Office for Civil Rights. Complaints typically describe the covered entity or business associate involved, the conduct at issue, the dates, the type of information involved, and any steps already taken with the organization. Organizations should maintain a process to receive and document complaints, respond within established timelines, prevent retaliation, and track resolution.
Some conduct implicates laws beyond HIPAA. Theft, intentional misuse of patient information, fraud, or unauthorized access that violates criminal statutes may warrant reporting to law enforcement in parallel with internal reporting and any required HIPAA Breach Notification Rule reporting, while preserving evidence and coordinating with legal counsel to avoid compromising investigations.
Reporting is complete only when the organization can show a documented intake, a documented investigation, a documented decision on breach notification when applicable, documented mitigation, and documented corrective action aligned to the organization’s policies and procedures.