HIPAA complaints within the covered entity should be reported to an immediate supervisor; or, if the compliant originates from a member of the public to the Privacy Officer responsible for documenting the complaint and responding to it. However, organizations are allowed to develop their own policies and procedures for reporting HIPAA complaints, and – in such cases – you should comply with the organization’s policies and procedures.
Internal Reporting of Potential HIPAA Violations
Your HIPAA training should have included information concerning who should receive HIPAA complaints within the covered entity as well as the procedures to for submitting complaints regarding potential HIPAA violations. Generally, the HIPAA violation must be reported to the individual responsible for HIPAA compliance within your organization. Typically, that person is the Privacy Officer or CISO. Reporting the violation to your supervisor might be more convenient.
All HIPAA violations, including relatively minor privacy breaches, should be reported. They may be a sign of a bigger problem, thus it is important for them to be investigated internally. It is far better to admit a minor HIPAA violation than for a colleague or patient to report it or for it be found during an audit or internal investigation.
A covered entity should look into potential HIPAA violations and see if HIPAA Rules have been violated. If so, it must be determined if the violation is a reportable incident and whether the Department of Health and Human Services’ Office for Civil Rights (OCR) should be notified. To determine whether a breach is a reportable incident, a risk assessment should be conducted.
The HIPAA Breach Notification Rule necessitates the reporting of HIPAA violations by covered entities (and their business associates) to OCR. The time schedule for doing so is strict. If a breach has impacted 500 or more individuals, it should be reported as soon as possible and no later than 60 days after discovering the breach. Smaller breaches that impact fewer than 500 people may be reported yearly, but not later than 60 days after the end of the calendar year when the breach was discovered. Breach notifications should be issued to patients as soon as possible and certainly within 60 days of discovery regardless of the number of individuals impacted by the breach.
When is the Right Time to Report a HIPAA Violation to OCR?
Although all HIPAA violations must be reported within the company, a complaint about a HIPAA violation (or potential violation) may be submitted to OCR. Take note that an investigation of a complaint will only be conducted by OCR if the complainant provides contact information. Anonymous complaints are unlikely to be investigated by OCR.
Internal Reports of HIPAA Violations: FAQ
Do Covered Entities require a separate HIPAA Security Officer and HIPAA Privacy Officer?
No, not necessarily. Covered Entities must employ somebody who takes the role of the HIPAA Privacy Officer or HIPAA Security Officer, but they need not be separate people. Smaller Covered Entities, for example, may choose instead to combine the roles into a single “HIPAA Compliance Officer” who will take responsibility for both positions. This individual will serve as a point of contact for other employees who have HIPAA-related concerns, but also for members of the public.
What are the penalties for HIPAA violations?
Penalties for HIPAA violations will vary depending on the severity of the violation. A covered entity may choose to put the employee who committed the violation on a training course, or in more severe cases, may choose to suspend them (or even fire them). If the violation requires notification to the Department for Health and Human Services’ Office for Civil Rights, they will have their own penalty structure. In many cases, they will require a corrective action plan. In others – for example, if PHI was deliberately accessed for personal gain – criminal penalties may be applied. More information on HIPAA penalties can be found here.
What is the difference between a HIPAA violation and a HIPAA breach?
A HIPAA violation is any case where the rules of HIPAA have not been followed. The nature of HIPAA violations are incredibly varied. Possible violations include sharing login details with a colleague, a patient overhearing a conversation between two doctors discussing another patient, leaving a filing cabinet unlocked, losing a mobile device with PHI stored on it etc. A HIPAA breach, however, is when PHI is accessed by unauthorized individuals. Not all HIPAA violations result in breaches.
Do incidental violations of HIPAA need to be reported?
Yes, incidental HIPAA violations should be reported. Incidental violations are those that occur despite the best efforts of employees and could not have been prevented. For example, if two doctors are discussing a patient in a private room, and a third doctor walks in and overhears part of the conversation, it would be considered an incidental HIPAA violation. Reporting these violations can help to ensure they do not occur in the future.