HIPAA Violation Reporting: How Does It Work?


Workplace Training

HIPAA Violation Reporting: How Does It Work?

In the modern world, it is virtually impossible to get medical treatment without disclosing a lot of private information. What happens to that information -- kept by doctors' offices, hospitals, pharmacists and other medical professionals with access to patient data -- is regulated by the government through the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to protect the patient's privacy, safety and security.

And yet, instances of data breach happen in medical institutions, sometimes maliciously but more often by accident. Read on to learn more about what HIPAA violations are and how one can report a HIPAA violation as a patient or a medical professional.

Get An Instant Free Course Preview

Try our best-in-class, interactive, and engaging courses for free!

cta llama

What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a set of national standards, enforced by the Office of Civil Rights, that ensure the physical and electronic safety and confidentiality of the medical patients' protected health information (PHI) within the health and human services (HHS) industry when using, storing, sharing, or transmitting this information. 

A patient's PHI consists of the following pieces of personally identifiable information (as well as any other special characteristics/numbers by which a patient can be individually identified):

  • Name and contact information
  • SSN
  • Health plan beneficiary number
  • Medical record number
  • Personal dates (e.g. hospital admission/discharge, birth/death, etc.)
  • Drivers license number
  • Device identifiers/serial numbers
  • IP address and web URSs
  • Biometric identifiers (e.g. fingerprints, voiceprints, retinal scans, etc.)
  • Full-face photos
  • Handwriting and signature

Principal HIPAA Rules

The main HIPAA regulations concerning PHI data breach go as follows:

HIPAA Privacy Rule

The HIPAA Privacy rules regulate the use and the disclosure of PHI by professionals within the health and human services, strictly limiting who can access this information, whom it can be shared with -- and under what conditions.

HIPAA Security Rule

The HIPAA security rule protects how PHI is stored -- from unlawful hacks and other malicious intrusions-- via administrative, technical and physical safeguards.

Breach Notification Rules

These rules enforce the requirement that, as soon as a medical professional learns of HIPAA security/privacy breaches that affected 500+ individuals, they must, without delay, notify the affected individuals, as well as the U.S. Department of Health & Human Services' Secretary of breaches.

Who Is Responsible For Upholding HIPAA Rules?

HIPAA regulations apply to healthcare organizations, agencies and individuals working within the health and human service industry, falling under the category of "covered entity" or "business associate":

Covered Entities

This applies to health care providers (medical clinics, doctors, psychologists, chiropractors, dentists, pharmacies, nursing homes); health plans (insurance companies, HMO's, company health plans, and government plans like Medicaid, Medicare, and veteran health care programs); and health care clearinghouses (services that re-format nonstandard health information).

Business Associates

An HHS business associate involved with a covered entity is a company usually assisting in some administrative capacity (e.g. claims processing, data analysis, quality assurance, utilization review, billing, pricing, etc.)

Different HIPAA Violations

Some HIPAA violations carry dire harm, though the majority of accidental small errors made in good faith come and go without doing any damage or being noticed. Most HIPAA violations occur not due to criminal attacks but owing to negligence or ignorance on behalf of those handling sensitive patient data (which is why staff training is so incredibly important!)

Among the most common "accidental" offenses against HIPAA rules are:

Improper Disposal Of Records

Medical offices are required to store medical records securely -- and to destroy them upon disposal: these procedures are not always adhered to.

Unencrypted Data

Though HIPAA does not technically require it, it is highly recommended to encrypt sensitive patient data. Institutions that don't are vulnerable to hacks (if the PHI is breached by hackers, they may become legally liable for failing to secure it).

Employee Imprudence

By far the most common (and easiest to prevent with training) HIPAA violation happens when employees openly discuss patients' PHI with each other and within earshot of unauthorized parties without paying attention/remembering that it's confidential.

Who Can Report A HIPAA Violation?

Medical patients who feel that their HIPAA rights have been violated -- as well as employees within the "covered entities" and their "business associates" who have observed a HIPAA violation at work-- can file a HIPAA complaint.

Reporting HIPAA Violations

If privacy, security, or breach notification rules have been violated, there are ways to file a HIPAA complaint of a violation internally within the company and externally with the U.S. Department of Health & Human Services' Office For Civil Rights (OCR).

HIPAA Violation Reporting For Employees

When an employee of the HHS industry catches a HIPAA violation, the reporting procedure varies by the organization. In one workplace, the protocol may be to verbally report the violation to immediate supervisor/manager; in another office, it may involve filing a written complaint with the company's Privacy/Security Officer.

If the situation is not addressed internally to the employee's satisfaction and in a timely manner, it is possible to escalate the report to the Department of Health & Human Services' Office for Civil Rights (OCR) (and, in grave cases, through the courts, or to the State Attorney General).

If the workforce member chooses to deny consent in the consent graph at the bottom of the complaint form, the OCR will not disclose their personal information to the covered entities/business associates, if the case goes under investigation (at any rate, it is unlawful for companies to take retaliatory action against their own employees for HIPAA violation reporting!)

HIPAA Violation Reporting For Patients

Patients who believe their HIPAA rights have been violated can lodge a report with the OCR by mail, email, fax -- or file a complaint online through the OCR complaint portal.

(Patients who believe they have witnessed a HIPAA violation not related to their own PHI -- as well as health and human service workers reporting a HIPAA violation they had observed on the job -- can use a secondary complaint portal in filing a complaint with the OCR.)

Filing the complaint online, one needs to include:

the name of the individual filing the complaint

the name of the covered entity/business associate the complaint is being filed against

a detailed description of the acts or omissions that are believed to have violated any of the HIPAA security/privacy/breach reporting rules

The complainant has 180 days from the date the HIPAA violation occurred to file a complaint although, in some cases, the OCR may extend the statute of limitations, if "good cause" can be demonstrated.

What Happens After A Complaint Is Filed?

The primary enforcer of HIPAA or OCR will launch an investigation of the alleged violation and, if it finds the named covered entity/business associate in violation of HIPAA regulations, it will determine the verdict.

If it can be demonstrated that patients were negatively affected by the privacy breach, the guilty party may be expected to pay a reasonable settlement to the affected parties, in addition to correcting the problem immediately.

If the HHS organization fails to comply with OCR's ruling and requirements, more financial penalties will be imposed.

Preventative HIPAA Compliance Is Key!

Not all OCR investigations into companies violating HIPAA regulations result in government fines or civil suit payouts (though some do). More often, the issue is resolved through voluntary compliance, technical improvements, or the covered entity/business associate agrees to take corrective action to ensure HIPAA compliance in the future.

The success to HIPAA compliance lies in preventative measures, namely:

Developing a robust HIPAA compliance checklist (and sticking to all the protocols in it)

Educating the HHS workforce to understand HIPAA rules and take them seriously as part of their professional training

Make EasyLlama's user-friendly, mobile-optimized program take care of your HIPAA compliance e-training needs!

Written by: Maria Malyk

Get course preview for free!


EasyLlama is your Smart Way To Train Your Team on Work Harassment



Easy and intuitive training for all. Bite sized micro learning.



Available anywhere, and on any devices, 24/7.



Highest rated and most importantly... COMPLIANT in the industry

Trusted by over 5,000+ amazing organizations


Join the newsletter

Be aware of new workforce regulatory changes reguarding your industry and state.

llama img
llama img