How to report HIPAA violations

Under the Breach Notification rule, all HIPAA violations must be reported within 60 days of its discovery. However, it can be confusing for CEs and BAs to determine who to report the breach to, and what details the breach notification should contain.

Reporting a HIPAA Violation

Anyone can report a HIPAA violation to the Department of Health and Human Services, which oversees HIPAA enforcement. They may do this via an online portal on the department’s website. The portal contains a form that will ask you for all the details needed by the OCR to carry out an investigation. If submitting a complaint via this method, the OCR requires your name and contact details. If, however, you wish to remain anonymous, the form can be downloaded and sent via hard copy.

Though HIPAA does not require a name to be submitted alongside a complaint, the OCR has stated that it will not conduct any investigations off the back of an anonymous HIPAA violation. Similarly, a CE may not take action against someone who has submitted a complaint, anonymously or otherwise.

If someone choses to be anonymous, when submitting a complaint, the complainant can submit their details but deny the OCR permission to share them with the organisation that they’re accusing. Though this may impede the investigation, it does preserve anonymity.

Requirements for a Violation Report

For a valid complaint to be submitted, the OCR requires that three key pieces of information are also submitted:

  • Be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal on their website
  • Name the covered entity or business associate involved, and describe the acts or omissions, you believed violated the requirements of the Privacy, Security, or Breach Notification Rules
  • Be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show “good cause”

How should CEs report HIPAA breaches?

As soon as is reasonably possible after a breach is discovered, the affected patients should be notified. To speed up the delivery of the information, the notification should either be sent via first-class mail or electronically over email (though this needs the patient’s prior consent). However, if 10 or more affected patients cannot be contacted, the CE must then post a notice of its breach on its website for at least 90 days. Alternatively, they may notify local media or the media in the patient’s presumed locale. If none of these are possible, the patient may be contacted over the phone.

If there is a large-scale breach of data, where 500 or more patients from a certain jurisdiction are affected, the CE or BA must inform prominent media outlets. This usually takes the form of a press release. This, too, must be done within 60 days of the discovery of the breach.

The DHHS oversees HIPAA enforcement and also determines the penalties for non-compliance. It is imperative that CEs notify the Secretary of the DHHS if a breach has been discovered that affects more than 500 individuals. They can do this by filling out and submitting an online Breach Report form.  This should be done without unreasonable delay.

If, however, the breach affects fewer than 500 people the CE need only inform the Secretary of such incidents on an annual basis. They must be reported within 60 days of the ending of the calendar year in which they were discovered.