It is the duty of HIPAA covered entities to make sure that their personnel know the right steps for reporting a HIPAA violation. But the privacy officers of the healthcare organization has the duty to assess whether a violation must be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) for in-depth investigation.
Potential HIPAA violations should be investigated in-house by HIPAA covered entities and/or business associates to ascertain the extent of the data breach, the risk to people affected by the breach, and to make sure measures are taken immediately to correct the violation and minimize risk. Generally, it is advisable that HIPAA violations are reported once they are found out. This quick action minimizes the possible harm that may be brought on to patients, and may aid in preventing more violations of HIPAA Rules.
Whenever healthcare professionals think an associate or their employee has broken HIPAA laws, the incident ought to be reported to a supervisor, your healthcare organization’s Privacy Officer, or to the person in charge of HIPAA compliance in your company. Not all HIPAA violations are deliberate. Accidental HIPAA violations happen even though employees are very careful to follow the rules specified in the HIPAA. In case an accident does happen, the company must do an internal inspection and a judgement made whether it is right to report the data breach to OCR under the terms of the HIPAA Breach Notification Rule. With regards to minor incidents, the breaches are mostly inconsequential, and thus do not require issuance of notifications. This may happen when minor mistakes are made in good faith, or when PHI has been exposed and there is minimal risk of knowledge that PHI is retained.
In case you made an error such as when you accidentally viewed the PHI of a patient which you are not permitted to view, or another person in your company is believed to have violated the HIPAA Rules, you need to report what happened quickly. The failure to do so has negative results when the breach is discovered later on.
If an employee knows that a covered entity has broken the HIPAA Privacy, Security, or Breach Notification Laws, he is allowed to submit a direct complaint to the Office of Civil Rights (OCR), as he may not have the authority to report the complaint within the company itself. In all instances, serious violations of HIPAA Rules which include potential criminal violations, multiple suspected HIPAA violations and willful neglect of HIPAA Rules ought to be directly reported to the Office for Civil Rights. Complaints may be submitted by using the OCR’s Complaint Portal online. Complaints to be reported to the OCR may also be through fax, mail, or email. OCR’s contact information is available on its website.
For OCR to decide whether a HIPAA violation has likely occurred, the grounds for submitting the complaint ought to be mentioned together with the potential HIPAA violation. The complainant should present information regarding the covered entity (or business associate), the date when the HIPAA violation is believed to have occurred, the location where the violation happened (if known), and when the complainant knew about the possible HIPAA violation.
HIPAA legislation requires that complaints must be submitted within 180 days of discovering the violation. In some cases, an extension may be given when there is good reason for delay. Although complaints may be submitted anonymously, you need to be aware that OCR wouldn’t investigate any HIPAA complaint when a name and contact details are not provided.
All complaints are read and evaluated, and invested if HIPAA Rules are thought of being violated and the complaint is reported within 180 days from discovery. Not all HIPAA violations end in negotiations or civil monetary fines. Quite often, the problem is remedied by means of voluntary compliance, technical assistance, or if the covered entity or business associate concurs to take restorative action.