Discovering a Health Insurance Portability and Accountability Act (HIPAA) violation in the workplace requires prompt action to prevent further harm and ensure compliance. The steps you take depend on the nature of the violation, whether unsecured protected health information (PHI) has been disclosed, and the potential consequences.
Is it necessary to report a HIPAA violation in the workplace?
Yes, reporting suspected HIPAA violations is necessary. If you believe you have accidentally violated HIPAA rules or observe non-compliance by a colleague or employer, it is beneficial to report the incident. The Department of Health and Human Services’ Office for Civil Rights (OCR) may impose financial penalties for uncorrected HIPAA violations discovered during investigations, data breaches, or audits. However, if a violation is identified internally and corrective action is taken, such penalties are less likely. Reporting also allows the organization to mitigate harm and prevent future incidents.
Read also: Understanding HIPAA violations and breaches
Who should be notified about a potential HIPAA violation?
Employees who discover a HIPAA violation should report it to their supervisor or the organization’s HIPAA privacy officer. The privacy officer will conduct an investigation, including a risk assessment, to determine if the violation is reportable. Not all internal violations require external reporting, but failing to notify affected individuals and OCR of a reportable breach of unsecured PHI can result in financial penalties. Corrective actions may involve updating policies and procedures or providing additional staff training. Employees may file a complaint directly with OCR if internal reporting does not result in action or if the violation is severe.
How long do you have to report a HIPAA violation?
HIPAA violations should be reported internally immediately upon discovery. Individuals who believe a covered entity has violated HIPAA rules can also file a complaint directly with OCR. Complaints should generally be submitted within 180 days of discovering the violation, although extensions may be granted for good cause. While anonymous complaints are accepted, providing your name and contact information is preferred so that OCR can conduct a thorough investigation.
Do HIPAA violations have to be reported?
HIPAA does not explicitly require individuals to report every violation they encounter. However, covered entities must report breaches of unsecured PHI to affected individuals, the Department of Health and Human Services, and, in certain cases, the media. Business associates must also report breaches to the covered entity. Reporting violations helps ensure compliance, protect patient privacy, and prevent further breaches. Some states have additional reporting requirements, so it is advisable to consult state-specific regulations.
How to report a HIPAA violation anonymously
There are ways to report a HIPAA violation anonymously, but due to the risk that an anonymous report may be dismissed by OCR, it is often a better option to provide your name and contact details while requesting confidentiality. If you do not want to report directly to OCR, you may also be able to file a complaint anonymously with another agency or the organization where the violation occurred.
When filing a complaint via the OCR complaints page, you are required to provide your name and contact details. OCR cannot follow up for further details without this information, making an investigation unlikely. For those who still wish to report anonymously, alternative options include mailing a written complaint or calling OCR at (800) 368-1019. Some OCR regional offices may also accept anonymous reports.
OCR is not the only agency that enforces HIPAA. The Centers for Medicare and Medicaid Services (CMS), the Federal Trade Commission (FTC), and the Department of Justice may also handle complaints related to HIPAA violations. Reporting to a state attorney general’s office may also be an option in certain cases.
Another anonymous reporting method is to notify the organization directly. While this may not lead to formal enforcement action, it can prompt internal corrective measures that prevent further violations.
Read more: Filing a HIPAA complaint
Examples of HIPAA violations by employers
Employers may commit HIPAA violations in various ways, including:
Improper access to employee health information
Employers access and review employees’ medical records without a legitimate need or authorization.
Inadequate safeguards for employee health information
Failing to implement appropriate security measures, such as storing health records in unsecured locations.
Unauthorized disclosure of employee health information
Sharing an employee’s medical details with unauthorized individuals.
Retaliation against employees
Taking adverse actions against employees for exercising their HIPAA rights, such as filing a complaint.
Insufficient employee training
Neglecting to provide adequate HIPAA training, leads to unintentional violations.
Improper use of employee health information
Using health information for non-healthcare-related purposes, such as employment decisions.
Lack of written policies and procedures
Failing to establish and maintain HIPAA-compliant policies and procedures.
Related: Examples of HIPAA violations: The high price of unprotected data
In the news
Employees who discover a HIPAA violation must act swiftly to prevent harm and ensure compliance. A notable example occurred at Methodist Hospital, where six individuals, including five former employees, pleaded guilty in 2023 to unlawfully disclosing the PHI of motor vehicle accident victims. From November 2017 to January 2020, these employees provided patient names and contact details to Roderick Harvey, who then sold the information to personal injury lawyers and chiropractors. The Department of Justice (DOJ) stated that HIPAA violations can carry severe penalties, including criminal charges. The former hospital employees face up to one year in prison and a $50,000 fine for each violation, while Harvey could face up to five years in prison and a $250,000 fine. The case shows the importance of internal reporting; had the violations been identified and addressed internally, legal repercussions might have been mitigated.
FAQs
What happens if I am not an employee but witness a HIPAA violation?
If you are a member of a covered entity’s workforce, report the violation to your immediate manager or supervisor. If you are a member of the public, you can raise the issue with the organization’s HIPAA privacy officer or file a complaint with OCR.
When I raised a violation concern with my supervisor, I was told HIPAA did not apply. Can this be true?
HIPAA may not apply in certain situations, such as when the organization is not a covered entity or when other laws preempt HIPAA. It’s advisable to seek clarification from the organization’s privacy officer or consult external resources to confirm.
Should reporting violations be included in HIPAA training?
Yes, the process for reporting violations should be part of HIPAA training to ensure employees understand how to report potential issues.
Why doesn’t OCR investigate anonymous reports?
Anonymous reports can lead to unsubstantiated complaints. Providing contact information allows OCR to conduct a thorough investigation.
Farah Amod
