The HIPAA violation reporting process is different for different organizations because of differences in policies and procedures, and the process for sending violations reports to HHS´ Office for Civil Rights differs based on the nature of the breach and who is producing the report.
There are a number of varied types of HIPAA violations, however, a few are not as critical as others. For instance, the inability to give regular security alerts (a requirement of 45 CFR § 164.308) violates HIPAA, however, it doesn’t have as critical consequences as the stealing of an unencrypted computer that contains the ePHI of 20,000 patients.
Therefore, one Covered Entity or Business Associate could have a number of HIPAA violation reporting steps according to the nature and probable seriousness of the event. In the same way, the HHS´ Office for Civil Rights has 3 processes whereby organizations, employees, and patients could submit a HIPAA violation report.
For Employees Reporting HIPAA Violation
If a member of a Covered Entity´s or Business Associate´s labor force identifies a HIPAA violation, the reporting process is based on the company´s HIPAA guidelines and procedures. A number of companies´ policies necessitate a verbal report to a direct superior or manager, whereas others call for a written report of the violation sent straight to the company´s Privacy or Security Officer. In certain instances, the receiver of the report is determined by the character of the violation.
Several organizational policies have a procedure for raising HIPAA violation reporting. Usually, when the direct supervisor isn’t able to deal with the violation, the report ought to be brought to the Privacy or Security Officer. When the violation stays unresolved, the report must be brought to the HHS´ Office for Civil Rights. It is additionally possible to submit reports to State Attorney Generals or by means of the courts by having a qui tam action versus the Covered Entity or Business Associate.
For Patients Reporting HIPAA Violation
The majority of patients´ understanding of HIPAA is restricted to the data given to them in a Notice of Privacy Practices. Therefore, patients ought to be informed about their HIPAA rights and how to submit a report of the violation of their rights – usually to the Privacy Officer of the Covered Entity (whose contact information must be on the Notice of Privacy Practices) or to the HHS´ Office for Civil Rights using the complaints portal online. Complaints submitted through these options must be done within six months of the violation.
In case a patient sees a violation not related to their rights, there’s a slight difference in the HIPAA violation reporting process. Reports may be given to the company´s Privacy Officer like before, to the HHS´ Office for Civil Rights using another complaint portal (for Security Rule violations and Privacy Rule violations), or to State Attorney Generals through State Departments for Consumer Protection. Nonetheless, federal and state institutions may require proof of the violation prior to starting an investigation.
Submitting Data Breach Reports to HHS´ Office for Civil Rights
Covered Entities and Business Associates do not need to report HIPAA violations except if they cause unauthorized access to – or getting, use, or sharing of – unsecured PHI. Many HIPAA violations of this type should be reported to persons impacted by the data breach as well as to the HSS´ Office for Civil Rights, except if it can be proven there is a low possibility of PHI compromise according to a four-point risk assessment or there is an exemption to the reporting specifications.
The method of HIPAA violation reporting to HHS´ Office for Civil Rights differs based on the number of persons impacted by the data breach. For data breaches impacting over 500 people, Covered Entities should alert HHS´ Office for Civil Rights in sixty days of discovering the breach. For breaches impacting less than 500 people, Covered Entities can report these HIPAA violations to HHS´ Office for Civil Rights annually.
Don’t Postpone Reporting HIPAA Violations
There are several reasons why employees, patients, and Covered Entities must not postpone reporting HIPAA violations. Employees and superiors, managers, and Privacy Officers should never postpone HIPAA violation reporting because when reports are late, no action will be done to deal with them, and violations may turn into “cultural norms” that are more difficult to change.
Because of the same reason, patients must not wait to report HIPAA violations. Not just because of the six-month window for filing a complaint, but also because the penalties on Covered Entities not being able to report HIPAA violations promptly can be sizeable. Sentara Hospitals paid a $2.175 million penalty in 2019 partly for failing to submit to the HHS´ Office of Civil Rights a data breach report impacting 577 individuals.