A guide to reporting HIPAA violations

Anyone who suspects a HIPAA violation by a healthcare provider, an insurance company, or another covered entity, must report the violation to the Office for Civil Rights (OCR) within the Department of Health and Human Services or the entity's internal compliance office.

Defining a HIPAA breach

In the US, the Health Insurance Portability and Accountability Act protects the privacy and security of protected health information (PHI). A HIPAA violation is a security incident where PHI is accessed, disclosed, or exposed without patient authorization. Data breaches can occur due to cyberattacks, hacking, unauthorized access, insider threats, or even unintentional actions.

The most common HIPAA violations include:

• Disclosure of PHI without consent
• Failure to protect medical records
• Unauthorized access to patient records
• Inadequate employee training in data security
• Transmission of PHI on unsecured channels like unencrypted email

Go deeper: Impact of data breaches on email

Choose the correct channel of reporting

There are two ways to file HIPAA violations:

1. With the U.S. Department of Health and Human Services Office for Civil Rights 
2. Internally, with the healthcare organization where the breach has occurred. 

Reporting to the HHS Office for Civil Rights (OCR)

OCR is the federal government agency responsible for the implementation of HIPAA. According to the HHS OCR complaint portal assistant, “If you believe that a covered entity violated your (or someone else's) health information privacy rights or committed another violation under the HIPAA Privacy, Security, and Breach Notification Rules or the Patient Safety Act and Rule, you may file a complaint with OCR.”

Under the official complaint portal,

1. Click on ‘File a Civil Rights and Conscience Complaint’ if you believe you or someone else has been discriminated against based on race, color, national origin, disability, age, sex, or religion by a covered entity that HHS has jurisdiction to investigate for a violation of federal civil rights laws, or the covered entity otherwise violated federal provider conscience laws.
2. Select ‘File a Health Information Privacy Complaint’ or ‘File a Security Rule Violation Complaint’, if you believe a covered entity or a business associate violated the Privacy, Security, or Breach Notification Rules (the HIPAA Rules).
3. Enter the complainant's information.
4. Complete the complaint details. 
5. Add any relevant additional information.
6. Sign the complaint and consent.
7. Review and submit the complaint.

Using internal reporting mechanisms

Most healthcare organizations have internal mechanisms for reporting, often through an anonymous hotline or suggestion box. These contact details are usually in the employee handbook.

When available, complainants can use an anonymous web form option from the organization's compliance website. Healthcare organizations might also have an anonymous physical suggestion box in the facility.

Additional tips for reporting a HIPAA violation

The HIPAA complaint should include:

• Date and time of the violation
• Who was involved (names, titles, and other identifying information)
• A description of the violation
• Available evidence like email, documentation, photographs
• Any internal action that has already been taken to try and address the matter, if applicable

What happens after filing a HIPAA violation report?

Reporting HIPAA violations protects the patient's rights to privacy and holds an organization responsible for safeguarding personal health information. The OCR views these infractions seriously, imposing fines or requiring corrective action from the guilty organization. So, the OCR Complaint Portal allows complainants to check on the status of their report. 

Additionally, internal reporting systems allow complainants to follow up, using only a case number, without revealing their identity. While anonymity protects your identity, doing so can impede the investigative process.

FAQs

What is a data breach?

A breach occurs when an unauthorized party gains access, uses, or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.

What is PHI?

Protected health information (PHI) is any information that can be used to identify a patient and relates to their health status, treatment, or payment for healthcare.

What should individuals do if their data has been compromised?

If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.