If a HIPAA violation has been discovered, it is not only essential that it is reported in a timely manner – it is actually required by HIPAA. But how long do you have to report a HIPAA violation?
Covered Entities and Business Associates should have clear procedures in place to ensure that employees can securely and confidentially report HIPAA violations. This ensures that all violations are reported, and can help reduce the scope of the violations. It is also important that they foster trust amongst employees to encourage them to report any HIPAA violations that they suspect or witness.
Within the Covered Entity or Business Associate, a HIPAA violation should be reported as soon as it is detected. The person who discovered the violation should report to the HIPAA Privacy Officer or HIPAA Security Officer within the organization (which, in smaller organizations, may be consigned to the single role of “HIPAA Compliance Officer”). These Compliance Officers can then investigate the violation and its cause. They can also assess the severity and scope of the violation.
All violations, whether intentional, accidental, or incidental, should be reported.
The Compliance Officer can then file the violation with the Office for Civil Rights. Alternatively, if an employee or patient has concerns, they may also file a complaint directly with the OCR. Again, this should be done as soon as possible after a violation has been discovered, but certainly within the 180-day window specified by HIPAA. In some cases, this 180-day limit may be extended if there is sufficient cause.
Under the Breach Notification Rule, if a Covered Entity or Business Associate discovers that an individual’s PHI has been accessed by an unauthorized individual, they must notify the individual. If they do not have the correct contact details for 10 or more individuals, they must put a notification on its website for 90 days (or place an advert in a newspaper servicing the area).
If the breach affects more than 500 patients, the Secretary of the Department of Health and Human Services must be notified within 60 days of discovery of the breach. The media must also be notified if over 500 people are affected by the breach, within 60 days of discovering the breach.