Discovering a Health Insurance Portability and Accountability Act (HIPAA) violation in the workplace requires prompt action to prevent further harm and ensure compliance. The steps you take depend on the nature of the violation, whether unsecured protected health information (PHI) has been disclosed, and the potential consequences.
Yes, reporting suspected HIPAA violations is necessary. If you believe you have accidentally violated HIPAA rules or observe non-compliance by a colleague or employer, it is beneficial to report the incident. The Department of Health and Human Services’ Office for Civil Rights (OCR) may impose financial penalties for uncorrected HIPAA violations discovered during investigations, data breaches, or audits. However, if a violation is identified internally and corrective action is taken, such penalties are less likely. Reporting also allows the organization to mitigate harm and prevent future incidents.
Read also: Understanding HIPAA violations and breaches
Employees who discover a HIPAA violation should report it to their supervisor or the organization’s HIPAA privacy officer. The privacy officer will conduct an investigation, including a risk assessment, to determine if the violation is reportable. Not all internal violations require external reporting, but failing to notify affected individuals and OCR of a reportable breach of unsecured PHI can result in financial penalties. Corrective actions may involve updating policies and procedures or providing additional staff training. Employees may file a complaint directly with OCR if internal reporting does not result in action or if the violation is severe.
HIPAA violations should be reported internally immediately upon discovery. Individuals who believe a covered entity has violated HIPAA rules can also file a complaint directly with OCR. Complaints should generally be submitted within 180 days of discovering the violation, although extensions may be granted for good cause. While anonymous complaints are accepted, providing your name and contact information is preferred so that OCR can conduct a thorough investigation.
HIPAA does not explicitly require individuals to report every violation they encounter. However, covered entities must report breaches of unsecured PHI to affected individuals, the Department of Health and Human Services, and, in certain cases, the media. Business associates must also report breaches to the covered entity. Reporting violations helps ensure compliance, protect patient privacy, and prevent further breaches. Some states have additional reporting requirements, so it is advisable to consult state-specific regulations.
There are ways to report a HIPAA violation anonymously, but due to the risk that an anonymous report may be dismissed by OCR, it is often a better option to provide your name and contact details while requesting confidentiality. If you do not want to report directly to OCR, you may also be able to file a complaint anonymously with another agency or the organization where the violation occurred.
When filing a complaint via the OCR complaints page, you are required to provide your name and contact details. OCR cannot follow up for further details without this information, making an investigation unlikely. For those who still wish to report anonymously, alternative options include mailing a written complaint or calling OCR at (800) 368-1019. Some OCR regional offices may also accept anonymous reports.
OCR is not the only agency that enforces HIPAA. The Centers for Medicare and Medicaid Services (CMS), the Federal Trade Commission (FTC), and the Department of Justice may also handle complaints related to HIPAA violations. Reporting to a state attorney general’s office may also be an option in certain cases.
Another anonymous reporting method is to notify the organization directly. While this may not lead to formal enforcement action, it can prompt internal corrective measures that prevent further violations.
Read more: Filing a HIPAA complaint
Employers may commit HIPAA violations in various ways, including:
Employers access and review employees’ medical records without a legitimate need or authorization.
Failing to implement appropriate security measures, such as storing health records in unsecured locations.
Sharing an employee’s medical details with unauthorized individuals.
Taking adverse actions against employees for exercising their HIPAA rights, such as filing a complaint.
Neglecting to provide adequate HIPAA training, leads to unintentional violations.
Using health information for non-healthcare-related purposes, such as employment decisions.
Failing to establish and maintain HIPAA-compliant policies and procedures.
Related: Examples of HIPAA violations: The high price of unprotected data
Employees who discover a HIPAA violation must act swiftly to prevent harm and ensure compliance. A notable example occurred at Methodist Hospital, where six individuals, including five former employees, pleaded guilty in 2023 to unlawfully disclosing the PHI of motor vehicle accident victims. From November 2017 to January 2020, these employees provided patient names and contact details to Roderick Harvey, who then sold the information to personal injury lawyers and chiropractors. The Department of Justice (DOJ) stated that HIPAA violations can carry severe penalties, including criminal charges. The former hospital employees face up to one year in prison and a $50,000 fine for each violation, while Harvey could face up to five years in prison and a $250,000 fine. The case shows the importance of internal reporting; had the violations been identified and addressed internally, legal repercussions might have been mitigated.
If you are a member of a covered entity’s workforce, report the violation to your immediate manager or supervisor. If you are a member of the public, you can raise the issue with the organization’s HIPAA privacy officer or file a complaint with OCR.
HIPAA may not apply in certain situations, such as when the organization is not a covered entity or when other laws preempt HIPAA. It’s advisable to seek clarification from the organization’s privacy officer or consult external resources to confirm.
Yes, the process for reporting violations should be part of HIPAA training to ensure employees understand how to report potential issues.
Anonymous reports can lead to unsubstantiated complaints. Providing contact information allows OCR to conduct a thorough investigation.