Reporting an anonymous HIPAA violation compliant to HHS’ Office for Civil Rights (OCR) is likely to result in the complaint being ignored due to a lack of resources and the risk that the complaint is unjustified or malicious. However, although OCR doesn’t support reporting an anonymous HIPAA violation complaint, there are other options.
Although it is illegal for a Covered Entity to intimidate, threaten, coerce, discriminate, or retaliate against an individual who makes a complaint about a HIPAA violation, it is understandable that some individuals may prefer to report a HIPAA violation or make a HIPAA complaint anonymously.
However, when you review the Office for Civil Rights’ guidelines for HIPAA violation reporting, every option requires the complainant to reveal their name. Indeed, the first page of the OCR Complaints Portal requires you to complete your name, address, telephone number, and email address.
While you have the option to withhold consent for your identity to be disclosed, the denial of consent “is likely to impede the investigation of [the] complaint and may result in closure of the investigation”. So, is reporting an anonymous HIPAA violation complaint possible?
Why OCR Doesn´t Support Anonymous HIPAA Violation Reporting
There are several reasons why OCR doesn’t support anonymous HIPAA violation reporting. The first is that the Office for Civil Rights receives more than twenty thousand health information privacy complaints each year and the department doesn’t have the resources to investigate each one.
By dissuading individuals from reporting HIPAA violations anonymously, OCR eliminates many complaints that are likely to be malicious, unjustified, or lack an understanding of what a violation consists of. Unfortunately, this may also dissuade individuals from making genuine complaints.
A further reason is that, if an individual is making a complaint about a privacy violation, it is important OCR knows whose privacy has been violated. It would be impossible for OCR to investigate an anonymous HIPAA violation complaint if it did not know who the complaint related to.
What Other Options Exist to Report a HIPAA Violation?
All HIPAA Covered Entities are required to appoint a Privacy Officer whose role includes being the point of contact in the event of a HIPAA violation complaint. Complaints to a Privacy Officer can relate to privacy violations, breaches of process, or any other administrative issues.
Other options to report a HIPAA violation include State Attorneys General. State Attorneys General have the authority to take legal action against Covered Entities for HIPAA violations.
You may also be able to take legal action if your privacy has been violated and claim compensation for a HIPAA violation. You should bear in mind that there is no private cause of action under HIPAA, which means individuals cannot sue HIPAA covered entities for violations of the HIPAA Rules. Lawsuits against HIPAA covered entities can be filed if the HIPAA Rules have been violated, but the case is only likely to have standing if there has also been a violation of state privacy laws. You are also likely to have to demonstrate that you have suffered harm or a verifiable financial loss due to an unauthorized disclosure of your health information or other privacy violation.
Whether or not it is possible to report a HIPAA violation anonymously via these options may depend on individual policies and state laws. It may also be the case that a State Attorney General or lawyer will require you to file a complaint with OCR before taking on your case.
How to Report a HIPAA Violation Anonymously
If you really do not want to provide your name and contact information, what options are available to you to report a HIPAA violation anonymously?
If you want to report a HIPAA violation by your employer, the first port of call should be your HIPAA Officer. You can send a complaint anonymously and explain in the letter or email why you do not want to disclose your identity. If you can provide evidence of HIPAA being violated, your HIPAA Officer should investigate and take action.
If you have taken the above step and nothing has been done, you can take the matter further by submitting a complaint to OCR. You can do this by downloading a Health Information Privacy & Security Complaint form and then mail it to OCR, absent your contact details. You will have to support your anonymous HIPAA complaint with compelling evidence in order for OCR to consider opening an investigation. OCR only has limited staff available to investigate complaints, and the COVID-19 pandemic has stretched the department even further. OCR is prioritizing complaints submitted online, and also complaints that include contact information.
What you must not do is submit a HIPAA complaint to OCR under an alias. Federal law prohibits the falsification of communications with federal agencies; and although the intention may be honorable, you might end up in more trouble than the party responsible for the HIPAA violation.
Reporting HIPAA Violations: FAQs
Who do you report HIPAA violations to?
If you are an individual making a complaint about a privacy violation under HIPAA, you would usually report the HIPAA violation to the Office for Civil Rights (OCR). However, as mentioned above, you can also report the violation to a HIPAA Privacy Office, State Attorney General, or lawyer.
If you are an employee of a Covered Entity or Business Associate, a report should be made to your HIPAA Privacy Officer. Covered Entities usually have policies relating to internal reporting processes and can apply sanctions if an employee identifies a HIPAA violation and fails to report it.
If you are a Business Associate, you should report HIPAA violations to your Covered Entity. The Covered Entity will determine whether the violation should be reported to OCR – conducting a risk assessment to establish the “probability of compromise” if necessary.
How do I file a HIPAA complaint to the OCR?
The safest way to file a HIPAA complaint to the OCR is via the online Complaints Portal. This is because the Complaints Portal is hosted on a secure website, whereas downloading the complaint form and posting, faxing, or emailing it risks data on the form being exposed to third parties.
How do I report a HIPAA violation and withhold consent for my identity to be disclosed?
When you file a complaint via OCR´s online Complaints Portal, there are six pages to complete. On the fifth page there is an explanation of how the information provided to OCR is used and you are asked to consent to your identity being disclosed when necessary or withhold your consent.
How do I find out if my complaint has been investigated?
Under the Freedom of Information Act (FOIA), you can request a copy of your case file once an investigation has been closed. However, OCR can withhold information from you in order to protect the identities of witnesses contacted during the investigation and other sources of information.
Are HIPAA complaints anonymous when made to a different agency?
Multiple channels exist for individuals to make a complaint or report a HIPAA violation. For example, individuals can make a complaint to State Attorneys General and local HHS offices. However, every agency requires complainants to include their full personal details when submitting a complaint, so it is not possible to make a HIPAA complaint anonymously under any circumstances.