What Happens After a HIPAA Complaint is Filed

Even when you do the best you can to comply with HIPAA regulations, violations and breaches may occur. Clients or patients may report what they think are violations, even when they’re not.

What happens after a HIPAA complaint is filed? What rights do you have as a covered entity or business associate? And what is the worst-case scenario?

Common Violation Examples – What Happens After a HIPAA Complaint is Filed?

The Department of Health and Human Services Office for Civil Rights (HHS OCR) has primary responsibility for investigating alleged violations of HIPAA rules and regulations and conducting audits of covered entities (healthcare providers, insurance companies, and healthcare data clearinghouses) and business associates (vendors who take possession of PHI while performing work on behalf of a covered entity or another business associate). 

Covered entities and business associates must report all breaches to the HHS Secretary. The HIPAA Breach Notification Rule specifies timelines and other reporting requirements based on the size of the breach. 

HHS OCR’s investigatory purpose is to look for violations that caused or contributed to the breach of PHI. There has never been a fine or penalty assessed for a breach of a patient’s protected health information (PHI)

From 2017 to 2020, the top five issues found during investigations that led to corrective action fell into the following categories:

  • Impermissible Uses & Disclosures
  • Safeguards
  • Administrative Safeguards
  • Access
  • Technical Safeguards

Examples of violations include: stolen/lost laptops and smartphones with unencrypted PHI; sending PHI to the wrong patient/contact; malware incidents caused by employees falling for phishing scams or ransomware attacks; and employees reviewing PHI of friends or family members without an authorized purpose.

Let’s Simplify Compliance

Protect your business from HIPAA violations. Become HIPAA compliant today!

Learn More!
HIPAA Seal of Compliance