It is the responsibility of HIPAA covered entities to ensure that their employees know the correct procedures for reporting a HIPAA violation. It is then the responsibility of the privacy officers of the organisation to make a judgement whether the incident should be directed to the Department of Health and Human Services’ Office for Civil Rights (OCR) for a full investigation.
Potential HIPAA violations must be investigated internally by HIPAA covered entities and their business associates to determine the severity of the breach, the risk to individuals impacted by the incident, and to ensure action is taken promptly to correct the violation and mitigate risk. In general, it is recommended that HIPAA violations are reported nearly as soon as they are discovered. This rapid action mitigates the potential harm that may be caused to patients, and may help to prevent further violations of HIPAA Rules.
Internally Reporting a HIPAA Violations
When healthcare professionals suspect a colleague or their employer has acted in violation of HIPAA legislation, the incident should be reported to a supervisor, your organization’s Privacy Officer, or to the individual responsible for HIPAA compliance in your organization.
Not all HIPAA violations are intentional. Accidental HIPAA violations occur even when employees are careful to follow the guidelines outlined in the Act. If an accident does occur, the incident will have to be investigated internally and a decision made about whether it is a suitable to report the breach to OCR under provisions of the HIPAA Breach Notification Rule. In the case of minor incidents, the breaches are largely inconsequential, and therefore do not warrant notifications to be issued. This may occur when minor errors are made in good faith, or if PHI has been disclosed and there is little risk of knowledge of PHI being retained.
If you have made a mistake, accidentally viewed PHI of a patient that you are not authorized to view, or another individual in your organization is suspected of violating HIPAA Rules, you should report the incident promptly. The failure to do so is may have negative consequences if the breach is later discovered.
Reporting a HIPAA Violation to HHS’ Office for Civil Rights
If an employee believes that a covered entity has violated the HIPAA Privacy, Security, or Breach Notification Rules, they are permitted to make a direct complaint to the Office of Civil Rights, as they may not have the power to make a complaint within the organisation itself. In all cases, serious violations of HIPAA Rules including potential criminal violations, wilful/widespread neglect of HIPAA Rules, and multiple suspected HIPAA violations should be reported to the Office for Civil Rights directly.
Complaints can be submitted via the OCR’s Complaint Portal online, although OCR will also accept complaints via fax, mail, or email. Contact information can be found on the OCR website.
For OCR to determine whether a HIPAA violation is likely to have occurred, the reason for the complaint should be written stated along with the potential HIPAA violation. The complainant must provide information about the covered entity (or business associate), the date when the HIPAA violation is suspected of occurring, the address where the violation occurred (if known), and when the complainant learned of the possible HIPAA violation.
HIPAA legislation mandates that complaints should be submitted within 180 days of the violation being discovered. In certain cases, an extension may be granted if there is good cause for delay. While complaints can be submitted anonymously, it is important to bear in mind that OCR will not investigate any HIPAA complaint if a name and contact information is not supplied.
All complaints will be read and assessed, and investigations into HIPAA complaints will be launched if HIPAA Rules are suspected of being violated and the complaint is submitted inside the 180-day timeframe. Not all HIPAA violations result settlements or civil monetary penalties. Oftentimes, the issue is resolved through voluntary compliance, technical guidance, or if the covered entity or business associate agrees to take corrective action.
Reporting HIPAA Violations: FAQ
Should accidental and incidental violations be reported?
Yes, even if the violation was unintentional, it should still be reported to the organization’s Privacy Officer. This is required for the CE to be HIPAA compliant, but it is also good practice as even if the violation was not “serious” (i.e. did not result in the unauthorized access of PHI), it is indicative of a wider problem that could lead to more serious breaches in the future. It also is good to foster an atmosphere of openness and honesty among employees.
What is a Privacy Officer?
HIPAA requires that all Covered Entities and their Business Associates appoint a HIPAA Privacy Officer. The role is varied, but is primarily concerned with ensuring HIPAA compliance across the CE. This includes providing training programs and promoting HIPAA awareness. Importantly, the Privacy Officer also acts as a point of contact for employees and members of the public who have privacy concerns, and it is to the Privacy Officer that HIPAA violations should be reported.
Can patients report HIPAA violations?
Yes, patients can file complaints with the CE, allowing the CE to conduct an internal investigation. However, they can also file complaints directly with the Office for Civil Rights, who may choose to conduct an investigation into the CE if they decide that there is reasonable grounds for a complaint.
What is the difference between a HIPAA violation and a HIPAA breach?
HIPAA violations are any instance in which HIPAA has not been followed. Failure to allow the patient access to their own medical records is a violation of HIPAA, as is the failure to provide patients with a Notice of Privacy Practices. A HIPAA breach, by contrast, is when PHI has been accessed by an unauthorized individual. HIPAA breaches are the result of HIPAA violations, but not all violations result in a breach.