To Whom Should HIPAA Complaints be Reported to Within a Covered Entity?

45 CFR § 164.530

To whom should HIPAA violation complaints be directed to inside a covered entity? If a healthcare employee thinks he/she has witnessed a HIPAA violation or may have violated HIPAA Rules, he/she should report the occurrence internally in the first instance. Usually, the potential violation should be reported to the HIPAA Privacy Officer, if one has been appointed.

Internal Reporting of Potential HIPAA Violations

Your HIPAA training should have included information concerning who should receive HIPAA complaints within the covered entity as well as the procedures to for submitting complaints regarding potential HIPAA violations. Generally, the HIPAA violation must be reported to the individual responsible for HIPAA compliance within your organization. Typically, that person is the Privacy Officer or CISO. Reporting the violation to your supervisor might be more convenient.

All HIPAA violations, including relatively minor privacy breaches, should be reported. They may be a sign of a bigger problem, thus it is important for them to be investigated internally. It is far better to admit a minor HIPAA violation than for a colleague or patient to report it or for it be found during an audit or internal investigation.

A covered entity should look into potential HIPAA violations and see if HIPAA Rules have been violated. If so, it must be determined if the violation is a reportable incident and whether the Department of Health and Human Services’ Office for Civil Rights (OCR) should be notified. To determine whether a breach is a reportable incident, a risk assessment should be conducted.

The HIPAA Breach Notification Rule necessitates the reporting of HIPAA violations by covered entities (and their business associates) to OCR. The time schedule for doing so is strict. If a breach has impacted 500 or more individuals, it should be reported as soon as possible and no later than 60 days after discovering the breach. Smaller breaches that impact fewer than 500 people may be reported yearly, but not later than 60 days after the end of the calendar year when the breach was discovered. Breach notifications should be issued to patients as soon as possible and certainly within 60 days of discovery regardless of the number of individuals impacted by the breach.

When is the Right Time to Report a HIPAA Violation to OCR?

Although all HIPAA violations must be reported within the company, a complaint about a HIPAA violation (or potential violation) may be submitted to OCR. Take note that an investigation of a complaint will only be conducted by OCR if the complainant provides contact information. Anonymous complaints are unlikely to be investigated by OCR.