The procedures for reporting a HIPAA violation at work are set by each individual covered entity or business associate and should be explained to members of the workforce during their initial HIPAA or security awareness training.
From the publication of the HIPAA Enforcement Rule, covered entities that violate the HIPAA can be financially penalized for HIPAA violations. If during the investigation of a complaint or data breach, an unresolved HIPAA violation is discovered, the HHS’ Office for Civil Rights could pursue a financial penalties. However, a penalty can be avoided or mitigated if the violation was discovered internally and corrected.
In case of a violation of patient privacy, internal reporting of the violation will enable your employer to do something to minimize the possibility of harm coming to the patient and take steps to avoid further similar privacy breaches.
Who You Should Notify About a Potential HIPAA Violation
Healthcare employees who find out that a HIPAA violation happened in the workplace need to report it to their supervisor or their HIPAA Privacy Officer. The HIPAA Privacy Officer should be informed of any failure in HIPAA compliance and should conduct an investigation, which needs to include a risk assessment.
The risk assessment will allow the Privacy Officer to determine if the violation is reportable. Not all internal HIPAA Rules violations are reportable. However, should the covered entity fail to notify OCR of a reportable HIPAA violation, financial penalties may be issued.
The covered entity should take action to correct the cause of the violation. It may be necessary to update policies and procedures or conduct additional employee HIPAA training.
In many instances when employees report HIPAA violations internally, the company takes no action to deal with the issue. In such cases, the issue should be reported to the HHS’ Office for Civil Rights.
How to File a HIPAA Complaint with the HHS’ Office for Civil Rights
OCR investigates complaints about potential HIPAA violations, although only when the complainant gives his/her name and contact information. When complaints are submitted anonymously, it is unlikely that the issue will be investigated. Many employees might be unwilling to give their contact details when reporting violations. However, healthcare organizations are not permitted by law to retaliate against persons who report potential HIPAA violations in the workplace.
OCR usually only issues financial penalties for HIPAA violations when it finds a willful violation of HIPAA Rules or when HIPAA violations amount to negligence. In most cases, HIPAA violations are settled by means of voluntary compliance – i.e the healthcare organization takes action to prevent further violations, hence the importance of reporting HIPAA violations.