Reporting a HIPAA Violation at Work

What is a HIPAA Violation?

The procedures for reporting a HIPAA violation at work are set by each individual covered entity or business associate and should be explained to members of the workforce during their initial HIPAA or security awareness training.

From the publication of the HIPAA Enforcement Rule, covered entities that violate the HIPAA can be financially penalized for HIPAA violations. If during the investigation of a complaint or data breach, an unresolved HIPAA violation is discovered, the HHS’ Office for Civil Rights could pursue a financial penalties. However, a penalty can be avoided or mitigated if the violation was discovered internally and corrected.

In case of a violation of patient privacy, internal reporting of the violation will enable your employer to do something to minimize the possibility of harm coming to the patient and take steps to avoid further similar privacy breaches.

Who You Should Notify About a Potential HIPAA Violation

Healthcare employees who find out that a HIPAA violation happened in the workplace need to report it to their supervisor or their HIPAA Privacy Officer. The HIPAA Privacy Officer should be informed of any failure in HIPAA compliance and should conduct an investigation, which needs to include a risk assessment.

The risk assessment will allow the Privacy Officer to determine if the violation is reportable. Not all internal HIPAA Rules violations are reportable. However, should the covered entity fail to notify OCR of a reportable HIPAA violation, financial penalties may be issued.

The covered entity should take action to correct the cause of the violation. It may be necessary to update policies and procedures or conduct additional employee HIPAA training.
In many instances when employees report HIPAA violations internally, the company takes no action to deal with the issue. In such cases, the issue should be reported to the HHS’ Office for Civil Rights.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

How to File a HIPAA Complaint with the HHS’ Office for Civil Rights

OCR investigates complaints about potential HIPAA violations, although only when the complainant gives his/her name and contact information. When complaints are submitted anonymously, it is unlikely that the issue will be investigated. Many employees might be unwilling to give their contact details when reporting violations. However, healthcare organizations are not permitted by law to retaliate against persons who report potential HIPAA violations in the workplace.

OCR usually only issues financial penalties for HIPAA violations when it finds a willful violation of HIPAA Rules or when HIPAA violations amount to negligence. In most cases, HIPAA violations are settled by means of voluntary compliance – i.e the healthcare organization takes action to prevent further violations, hence the importance of reporting HIPAA violations.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: