It is the responsibility of HIPAA covered entities to ensure that their employees know the correct procedures for reporting a HIPAA violation. It is then the responsibility of the privacy officers of the organisation to make a judgement whether the incident should be directed to the Department of Health and Human Services’ Office for Civil Rights (OCR) for a full investigation.
Potential HIPAA violations must be investigated internally by HIPAA covered entities and their business associates to determine the severity of the breach, the risk to individuals impacted by the incident, and to ensure action is taken promptly to correct the violation and mitigate risk. In general, it is recommended that HIPAA violations are reported nearly as soon as they are discovered. This rapid action mitigates the potential harm that may be caused to patients, and may help to prevent further violations of HIPAA Rules.
Internally Reporting a HIPAA Violations
When healthcare professionals suspect a colleague or their employer has acted in violation of HIPAA legislation, the incident should be reported to a supervisor, your organization’s Privacy Officer, or to the individual responsible for HIPAA compliance in your organization.
Not all HIPAA violations are intentional. Accidental HIPAA violations occur even when employees are careful to follow the guidelines outlined in the Act. If an accident does occur, the incident will have to be investigated internally and a decision made about whether it is a suitable to report the breach to OCR under provisions of the HIPAA Breach Notification Rule. In the case of minor incidents, the breaches are largely inconsequential, and therefore do not warrant notifications to be issued. This may occur when minor errors are made in good faith, or if PHI has been disclosed and there is little risk of knowledge of PHI being retained.
If you have made a mistake, accidentally viewed PHI of a patient that you are not authorized to view, or another individual in your organization is suspected of violating HIPAA Rules, you should report the incident promptly. The failure to do so is may have negative consequences if the breach is later discovered.
Reporting a HIPAA Violation to HHS’ Office for Civil Rights
If an employee believes that a covered entity has violated the HIPAA Privacy, Security, or Breach Notification Rules, they are permitted to make a direct complaint to the Office of Civil Rights, as they may not have the power to make a complaint within the organisation itself. In all cases, serious violations of HIPAA Rules including potential criminal violations, wilful/widespread neglect of HIPAA Rules, and multiple suspected HIPAA violations should be reported to the Office for Civil Rights directly.
Complaints can be submitted via the OCR’s Complaint Portal online, although OCR will also accept complaints via fax, mail, or email. Contact information can be found on the OCR website.
For OCR to determine whether a HIPAA violation is likely to have occurred, the reason for the complaint should be written stated along with the potential HIPAA violation. The complainant must provide information about the covered entity (or business associate), the date when the HIPAA violation is suspected of occurring, the address where the violation occurred (if known), and when the complainant learned of the possible HIPAA violation.
HIPAA legislation mandates that complaints should be submitted within 180 days of the violation being discovered. In certain cases, an extension may be granted if there is good cause for delay. While complaints can be submitted anonymously, it is important to bear in mind that OCR will not investigate any HIPAA complaint if a name and contact information is not supplied.
All complaints will be read and assessed, and investigations into HIPAA complaints will be launched if HIPAA Rules are suspected of being violated and the complaint is submitted inside the 180-day timeframe. Not all HIPAA violations result settlements or civil monetary penalties. Oftentimes, the issue is resolved through voluntary compliance, technical guidance, or if the covered entity or business associate agrees to take corrective action.