HIPAA Violation Reporting

HIPAA violations occur when a healthcare organization, or a business working with protected health information (PHI), fails to follow the rules set forth by HIPAA. Patients, or employees of an organization, may report suspected violations to the Department of Health of Human Services (HHS). HIPAA violation reporting requirements, and how to report HIPAA violations are discussed below.

When Should HIPAA Violation Reporting Occur?

Suspected HIPAA violations should be reported within 180 days of discovery. There is however, an exception to the 180 day rule. If the entity reporting the HIPAA violation can show ‘good cause’ to prove that it was not possible to report in the 180 day timeframe, they may be issued an extension.

Anonymous HIPAA Violation Reporting for Healthcare Organizations

The Department of Health and Human Services (HHS), in accordance with the Whistleblower Protection Act, requires employees to have the means for anonymous HIPAA violation reporting. Compliancy Group’s HIPAA compliance software allows for anonymous HIPAA violation reporting. 

As part of our HIPAA training program, each employee is provided with unique login credentials to complete their training in our HIPAA software the GuardTM. Within this platform, users have the ability to report suspected HIPAA violations anonymously. Administrators have the ability to track incidents, but they cannot see who reported the violation.

Anonymous Reporting for Patients

Patients that believe that their HIPAA rights were violated may report the violation via the HHS’ Office for Civil Rights (OCR) online complaint portal. However, complaints can also be submitted by mail, email, or fax.

For online HIPAA violation reporting please click here.

To download the form to submit a claim by mail, email, or fax please click here.

Investigation of HIPAA Violation Reporting

Although individuals have the right to anonymous HIPAA violation reporting, the OCR states that they may not investigate anonymous complaints. For a complaint to be investigated, complainants must include their name, contact information, and signature.

There may be instances in which complainants may fear retaliation for reporting HIPAA violations, in which case they can choose to deny consent for OCR to reveal their identity, or any information that may lead to their identification.