If you need to make a HIPAA complaint, do you know who complaints should be directed to within your covered entity? All healthcare staff who believe that have knowledge of a violation of HIPAA should report the violation internally. Generally, organizations have an appointed Privacy Officer, and this is normally the person you should report violations to.
Reporting HIPAA Violations Internally
As part of your internal HIPAA training, you should have been informed about who you should direct any HIPAA complaints to, as well as the process of how to make complaints about possible HIPAA violations. In general, HIPAA violations are reported to someone inside the organization who has been tasked with managing HIPAA compliance: normally a Privacy Officer or CISO. You can also report potential incidents to your supervisor.
Every HIPAA violation should be reported, including seemingly small or inconsequential violations. They may be a sign of a wider issue and should therefore be looked into as soon as possible. Involuntary violations should be reported too – it would be much worse if something were found during an audit or by regulators than if it had been self reported.
Covered entities have a duty to investigate HIPAA complaints and judge whether a violation has occurred or not, as well as whether it warrants notification to the Department of Health and Human Services’ Office for Civil Rights (OCR), in line with the HIPAA Breach Notification Rule. Some breaches do not need to be reported. Risk assessments should be carried out to establish which breaches should be reported.
Covered entities and their business associates are obligated under the Breach Notification Rule to report relevant HIPAA violations to the OCR within defined deadlines. Notification should be given for breaches affecting over 500 people as early as possible and within a hard deadline of 60 days from the date of discovering the breach. If fewer than 500 people are affected, a looser deadline is enforced – the event must be reported within 60 days of the start of the following calendar year (so a breach discovered in January 2009 would need to be reported to the OCR by early March 2010 at the latest). In both small and large scale breaches, patients and those affected must be informed within 60 days of discovery of the breach.
When Should HIPAA Violations be Reported to OCR?
As mentioned above, every HIPAA violation or potential violation should be reported within your organization, but they can also be reported directly to the OCR. It is important to be aware that the OCR does not investigate anonymous reports and will only act if the complainant includes their details.