How to make HIPAA Complaints within a Covered Entity

What are the Responsibilities of a HIPAA Compliance Officer?

Who should be informed within the covered entity when you want to make a HIPAA complaint? Any healthcare employee who thinks a HIPAA violation has occurred should report the incident internally.

In the course of your HIPAA training, you should have been told you who you need to talk to when you want to report a HIPAA complaint and you should have been told about the procedures for doing so. In most cases, the HIPAA violation must be reported to the individual in your company who is in charge of HIPAA compliance, normally your Privacy Officer. You might feel more at ease reporting the episode to your supervisor.

All HIPAA violations, even relatively minor ones, should be reported. They might be a sign of a bigger problem, therefore it is essential they are looked into internally. Accidental HIPAA violations must also be reported. It is advisable to admit a relatively small HIPAA violation rather than for the incident to be reported by a colleague or for it to be identified during an internal audit, or even worse, by government regulators.

A covered entity should assess potential HIPAA violations and make a decision whether HIPAA Rules were violated, and determine whether the incident needs to be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) as per the HIPAA Breach Notification Rule requirements.  Not every breach is reportable. In order to determine if a breach is reportable,  a risk analysis should be carried out.

The HIPAA Breach Notification Rule calls for covered entities and business associates to submit reports of HIPAA violations to OCR. All breaches affecting over 500 people should be reported as soon as possible, and not later than 60 days after the discovery of the incident. Smaller breaches affecting less than 500 people can be reported yearly, but not later than 60 days following the end of the year in which the incident was discovered. Nevertheless, breach notices should be sent to impacted patients within 60 days, irrespective of the number of people that the breach impacted.

Although all HIPAA violations ought to be reported in house, a complaint could be submitted to OCR. However, OCR doesn’t conduct an investigation into anonymous complaints.