Reporting a HIPAA Violation at Work

Would you report a HIPAA violation if you suspect that one occurred in your workplace? If so, how would you report the potential violation and to whom?

If you feel you have violated HIPAA Rules by accident or you think a work colleague or your employer is not complying with HIPAA Rules, it is important to report the potential violation(s).

From the time of the enactment of the HIPAA Enforcement Rule, covered entities that violate the HIPAA can be financially penalized for HIPAA violations. If during the investigation of a complaint or data breach, an unresolved HIPAA violation is discovered, the HHS’ Office for Civil Rights could pursue a financial penalties. However, a penalty can be avoided, or certainly reduced, if the violation was discovered internally and was corrected.

In case of a violation of patient privacy, internal reporting of the violation will enable your employer to do something to minimize the possibility of harm coming to the patient and take steps to avoid any further similar privacy breaches.

Who You Should Notify About a Potential HIPAA Violation

Healthcare employees who find out that a HIPAA violation happened in the workplace need to report it to their supervisor or their HIPAA Privacy Officer. The HIPAA Privacy Officer should be informed of any failure in HIPAA compliance and should conduct an investigation, which needs to include a risk assessment.

The risk assessment will allow the Privacy Officer to determine if the violation is reportable. Not all internal HIPAA Rules violations are reportable. However, should the covered entity fail to notify OCR of a reportable HIPAA violation, financial penalties may be issued.

The covered entity should take action to correct the cause of the violation. It may be necessary to update policies and procedures or conduct additional employee training.
In many instances when employees report HIPAA violations internally, the company takes no action to deal with the issue. In such cases, the issue should be reported to the HHS’ Office for Civil Rights.

How to File a HIPAA Complaint with the HHS’ Office for Civil Rights

OCR investigates complaints about potential HIPAA violations, although only when the complainant gives his/her name and contact information. When complaints are submitted anonymously, it is unlikely that the issue will be investigated. Many employees might be unwilling to give their contact details when reporting violations. However, healthcare organizations are not permitted by law to retaliate against persons who report potential HIPAA violations in the workplace.

OCR usually only issues financial penalties for HIPAA violations when it finds a willful violation of HIPAA Rules or when HIPAA violations amount to negligence. In most cases, HIPAA violations are settled by means of voluntary compliance – i.e the healthcare organization takes action to prevent further violations, hence the importance of reporting HIPAA violations.