What is HIPAA Violation Reporting?

The Department of Health and Human Services is responsible for investigating reports of violations of the HIPAA regulations. Anyone can report activity that he or she believes violates the HIPAA Privacy Rule or the HIPAA Security Rule. HIPAA violation reporting is subject to several requirements. These requirements are discussed in greater detail below.

HIPAA Violation Reporting: Rules for Patients

Covered entities are required to have patients sign a Notice of Privacy Practices that explains how the patient’s information may be used and disclosed, and the patient’s rights.

HIPAA Violation Reporting

The Notice of Privacy Practices must contain language explaining a patient’s right to report a suspected HIPAA violation. The Notice of Privacy Practices (NPP) must also contain language notifying a patient that they may file a complaint with a provider, if the patient believes his or her privacy rights have been violated. The NPP must provide the name and contact information of the person the patient should send the complaint to. The NPP must also state that the patient will not be subject to retaliation for the patient’s HIPAA violation reporting. Finally, the NPP must advise a patient that he or she may also file a complaint with the Secretary of Health and Human Services.

HIPAA Violation Reporting: Rules for Employees

Patients are not the only individuals who engage in HIPAA violation reporting. Members of a provider’s workforce, and business associates, may also engage in HIPAA violation reporting. Under the HIPAA Privacy Rule, providers must provide a process for individuals to make complaints concerning provider compliance with the HIPAA regulations. HIPAA leaves the exact steps to be followed under the reporting process to the discretion of the provider. However, whatever the provider concludes at the end of the investigation, must be documented in the complaint, including how the issue was resolved.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Leader Fall 2024

HIPAA retaliation for HIPAA violation reporting is prohibited. Covered entities and business associates may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any right established, or for participation in any process provided for, by the HIPAA Privacy, Security, and Breach Notification Rules. These rights include the right to file a complaint. 

Protected “Participation in a process” includes testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing related to a complaint. In addition, covered entities and business associates may not retaliate against an individual for that individual’s opposing any act or practice that is unlawful under HIPAA, provided the individual or person has a good faith belief that the practice opposed is unlawful, and the manner of opposition is reasonable and does not involve a disclosure of protected health information that violates the Privacy Rule. 

“Opposition” activity includes activities that are less formal than investigations, proceedings, or hearings. Opposition activity includes conversations, verbal complaints, and any other measures that indicate someone opposes what he or she believes is unlawful under HIPAA. As noted above, opposition must be reasonable. This means that opposition must not consist of behavior that may otherwise subject an employee to disciplinary action. Opposition is not reasonable if an employee’s opposition constitutes a threat to the safety of the rest of the workforce. 

Neither employees nor patients are required to file a report with the provider. Both employees and patients may engage in HIPAA violation reporting by filing a complaint with HHS directly. A provider may not retaliate against an employee or a patient for not having notified the provider of a complaint before the complaint was filed with HHS.