Voted Best Sexual Harassment Training Solution in 2021 by The Balance SMB

How to Report HIPAA Violations: The Ultimate Guide

Let's face it, HIPAA violations are a costly reality at work. For both employees and employers, HIPAA infractions are punishable by heavy fines and penalties. Internal personnel and management must pay close attention to avoid HIPAA violations.

This article will outline what you need to know about reporting HIPAA violations, including who should be reported these breaches, what should be reported, and information on the repercussions for violating this regulation.

Note: If you are an employer who needs help being HIPAA compliant, try EasyLlama. Our online HIPAA compliance training can get your workforce regulated to follow the laws and help you avoid unnecessary penalties. Get in touch with us to try a free trial of our interactive course to avoid a HIPAA violation and get your workplace compliant.

Why Should HIPAA Violations be Reported?

For a healthcare organization to learn from its mistakes and move in the right direction in protecting patients' private information, it is necessary for employees to report a HIPAA violation.

Imagine this scenario. You work in the medical billing department of a company. One day, you notice that a patient's insurance information was improperly disclosed to another patient because someone left a paper containing crucial information unattended. 

You have two options to report a HIPAA violation:

You can either email senior management about this HIPAA violation or you can turn in an incident report to the Privacy Officer, who will then handle reporting this violation.

If you email Senior Management about this HIPAA violation, your manager might not know how serious it is and brush over the incident. If that happens, the chance of a recurrence is high since no action was taken. 

However, if you file a report with a privacy officer, your company will know that this is a severe HIPAA law violation and be able to handle it accordingly. 

Furthermore, if you email senior management about this HIPAA violation, you could potentially get in trouble with the law for not reporting it.

That said, if you have knowledge of a HIPAA violation happening in your workplace, do not be afraid to speak up. Don't worry about any negative consequences because anyone who reports violations will be protected under HIPAA law (the Privacy Rule). The only real risk involved is that of a facility mishandling your complaint.

How to Report A HIPAA violation Via The Office For Civil Rights

When you report a HIPAA violation, whether it is about physical paper documents or electronic files, employees should file a complaint with the Office for Civil Rights (OCR) -- an organization within the U.S. Department of Health and Human Services (HHS).  This can be done via mail, fax, or email, or through the OCR Complaint Portal.

When filing the complaint, including what happened and how it was a violation of HIPAA laws.

HIPAA Covered Entity

If you work for a HIPAA Covered Entity or Business Associate, your HIPAA Privacy Officer should be notified. Covered Entities usually have rules in place regarding employee reporting processes and might apply penalties to employees who discover a HIPAA violation and fail to report it.

If you are a Business Associate, you should notify your Covered Entity of any HIPAA breaches. After assessing the situation, the Covered Entity will decide whether or not to report it to OCR—conducting a risk assessment to establish the “probability of compromise” if required.

What Happens After You Report a HIPAA Violation?

After filing your complaint, what follows next is an investigation.

When a complaint is accepted for investigation, OCR notifies you and the entity you lodged a complaint against. 

The complainant and the aforementioned covered entity are then encouraged to submit any information they have regarding the issue or event described in the complaint.

To obtain a clear picture of the facts, OCR may ask for specific data from both parties. Note that the law requires covered entities to cooperate with such investigations.

When the investigation concludes, the OCR will send a letter, explaining the findings of the investigation. If it is determined that a medical practitioner did not follow the HIPAA regulations, they must promise to

  • comply voluntarily with the rules
  • take appropriate action if required, or
  • agree to a resolution
Although some HIPAA violations require immediate attention, OCR typically investigates within 180 days after being notified of an issue. 

What About the Penalties for HIPAA Violations?

Since the Privacy Rule is a federal regulation, there are clear penalties for failing to protect a patient's privacy. The first violation comes with a $100 fine per instance and then $200 for each additional one. However, if the health care organization does not fix or report these breaches within 60 days of the discovery, they will become repeat offenses and be assessed $1,000 each time. These fines are applied to both employees and employers alike.

What Are Common Types of Violations?

Unfortunately, HIPAA laws are frequently violated without anyone knowing and compliance fines add up. It doesn't take much to put someone's personal information at risk. 

Furthermore, because HIPAA rules are updated on a regular basis, an organization that was compliant a year ago may no longer be so today. 

Here are some of the common violations:

Inadequate Security Measures

Even if a facility takes every step possible to secure its patients’ data, it can still face consequences if there were insufficient measures in place, to begin with.

If an organization uses outdated security measures, they are more likely to be breached. It is the facility’s responsibility to keep up to date with regulations and ensure that all employees understand which security measures should be followed in order to protect patients.

Snooping on Healthcare Records

An employee who reads the health records of patients for purposes other than those permitted by the Privacy Rule – treatment, payment, and healthcare operations – is violating patient privacy. Snooping on one's family, friends, neighbors, co-workers, and celebrities' medical files is one of the most prevalent HIPAA infractions committed by staff. 

When these breaches are discovered, they generally result in termination of employment, although they might also lead to criminal charges for the offender.

Don’t hesitate to report such a violation when you discover it. 

Employee Indiscretion

Even the most well-trained employees can violate HIPAA regulations. When someone is entrusted with another person’s private information, they are expected to keep it safe at all costs. 

Although this may come down to an individual employee’s personality, part of the responsibility still lies with the organization as a whole.

When one person fails to uphold rules that others comply with, it reflects poorly on their co-workers and superiors.

Improper Disposal of Records

A facility cannot simply toss files with sensitive patient information into the trash. By doing so, they are doing very little to ensure that their patient's data is protected against theft or other unauthorized access.

It doesn't matter if they would never intend for another person or organization to see it; it still puts this information at risk of being compromised. This includes any documents related to medical treatment, insurance claims, and more.

3rd Party Disclosure of Private Health Information

When it comes to talking about PHI, you should only communicate with those who need to know, such as the patient, the doctors, and the person billing for the treatment, prescription, or other associated services.

 If you have access to PHI and discuss it with people who do not have authorized access to this information, you are in violation of HIPAA.

Another example of 3rd-party disclosure would be if a worker made a mistake and released the wrong person's information. The act may be unintentional in this instance, but the outcomes would be comparable to those resulting from a deliberate violation.

This type of breach can be prevented by educating all personnel who have access to patient information about HIPAA laws like this.

Gossiping

It is inadvisable to discuss PHI, even with people within the same organization. This includes sharing information about your current treatment at work or otherwise in public settings.

It may be tempting to discuss what's happening with others when they ask, but you have to keep in mind that all of this information must remain confidential. It could lead to disciplinary action being taken against the individual who broke confidentiality by disclosing PHI.

How To Avoid HIPAA Violations

Managers need to ensure that every employee in their company understands where information should be stored, how it can be accessed, and who is authorized to access PHI.

Training on these policies must cover more than just one person or department in an organization. Every person with access to patient data must know what they are allowed to do when it comes to handling PHI.

To keep up with HIPAA requirements, they also need to remain consistent in their enforcement of HIPAA guidelines. When employees are aware that someone else will be checking upon them, they are more likely to follow the rules.

Privacy management software can also help reduce HIPAA violations because it makes it easier for employees to access only the information they are allowed to see. This includes patient records stored in electronic databases or files stored on a company server.

If your organization doesn't have the means to give every person with PHI access to their own encrypted private portal, consider offering regular training sessions as an alternative.