What is HIPAA Violation Reporting?

HIPAA violation reporting consists of a patient, employee, or other individual who believes a healthcare organization has violated one or more HIPAA regulations, filing a complaint. The complaint is filed with the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). HIPAA violation reporting requirements are discussed in greater detail below.

HIPAA Violation Reporting: When Must a Complaint be Filed?

Just as individuals filing cases in civil court are bound by statutes of limitation, which limit how long they have to file a lawsuit, individuals engaged in HIPAA violation reporting are subject to time limits. Under the HIPAA regulations, the person who is complaining (the “complainant”) must submit the complaint with OCR within 180 days from the time  the complainant discovered the violation. There is a narrow exception to having to comply with this HIPAA violation reporting deadline. If an individual shows “good cause” for why he or she could not file the complaint within 180 days, OCR may grant an extension of time. To show good cause is to demonstrate that circumstances, such as the plaintiff’s having been in the hospital with a serious illness, made submitting the complaint within 180 days impossible.

HIPAA Violation Reporting: What Must a Complaint Allege?

HIPAA violation reporting results in OCR receiving thousands of complaints every year. However, OCR will only investigate a complaint under certain circumstances. For OCR to investigate a complaint, the complaint must allege an activity that, if proven true, would actually constitute a HIPAA violation. That is, the allegation, if proven true, would actually constitute a violation of the HIPAA Privacy Rule, the HIPAA Security Rule, or the HIPAA Breach Notification Rule. This limitation on what a complaint alleges, ties to OCR’s jurisdiction. OCR can only investigate conduct that violates one of these rules. Therefore, HIPAA violation reporting must allege violation of one or more of these rules.

Can HIPAA Violation Reporting be Made Anonymously?

HIPAA violation reporting can be done anonymously; supplying a name and contact information to OCR in a complaint is not required. As a practical matter, though, filing an anonymous complaint will not serve a deterrent effect. OCR has stated that it will not conduct investigations as a result of an anonymous complaint. Therefore, if a complainant actually wants the wrongdoing to be remedied, the HIPAA violation reporting must include the complainant’s name, signature, and contact information.

Can Someone be Retaliated Against for HIPAA Violation Reporting?

OCR, to encourage individuals to file complaints, prohibits covered entities and business associates from taking retaliatory action against someone who has submitted a complaint about an alleged HIPAA violation. If an individual believes he or she has been retaliated against, the individual must notify OCR.

What is HIPAA Violation Reporting Retaliation?

HIPAA violation reporting retaliation occurs when a covered entity or business associate threatens, intimidates, coerces, harasses, discriminates against, or takes any other retaliatory action against any individual or other person for certain activities. In addition to filing a complaint, these activities include testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing. These activities also include opposing any act or practice that is unlawful under HIPAA. The opposition cannot, itself, violate HIPAA. The complainant cannot illegally disclose PHI as part of his or her opposition. The person engaging in the opposition must have a good-faith belief that what he or she is opposing, is unlawful. This is lawyer-speak for saying that a complainant cannot “make up” a complaint against a covered entity, and cannot accuse the covered entity of a HIPAA violation without sincerely believing that there is one.

What constitutes opposition? Courts have found “opposition” to occur when, for example, a staff  physician at a Veterans Affairs (VA) Hospital observed, in the course of his duties, numerous instances of conduct that he believed violated professional and clinical standards of healthcare provision, and that potentially endangered patients. The physician disclosed this conduct internally and to, among others, individuals within the VA’s Inspector General Office, and to his Senator and House Representative. In disclosing the details of the misconduct, the physician disclosed PHI relating to:

An unnecessary and improperly performed medical procedure and a patient abuse incident;

A poorly supervised procedure that allegedly caused a patient’s death;

A resident’s failure to follow instructions, allegedly causing harm to a patient;

Inadequate supervision and training of interns, which could potentially endanger patients; and

Claims of mismanagement of physicians’ workloads and resulting instances of improper or inadequate patient care.

The court concluded that the physician had made these disclosures based on a good-faith belief that violations were occurring.

See How It Works