The Complete Guide to Reporting a HIPAA Violation in 2022
The HIPAA (Health Insurance Portability and Accountability Act) requires many companies to comply with its regulations. It protects a patient’s medical records and other sensitive information.
HIPAA violations must be reported if they occur. Some people don’t know how to do it.
What is the HIPAA Officer?
In obedience to state and federal HIPAA regulations, the privacy officer – sometimes known as the chief privacy officer (CPO) – is responsible for developing, implementing, maintaining, and adhering to privacy procedures and policies regarding the safe use and handling of protected health information (PHI).
A privacy compliance officer must be appointed in any practice or health care organization that creates, stores, or transmits electronically protected health information (ePHI). HIPAA privacy officers are usually a dedicated position in larger businesses, but they may also have administrative or IT responsibilities in smaller businesses.
Reporting HIPAA Violations to The Office for Civil Rights
Employees reporting a HIPAA violation should file a complaint with the Office for Civil Rights (OCR) an agency within the Health and Human Services Department (HHS). If you would like to file a complaint, you can use the OCR Complaint Portal or send a letter, fax, or email.
Include details of what happened and how HIPAA laws were violated in your complaint.
A covered entity under HIPAA
You should inform your HIPAA Privacy Officer if you work for a HIPAA-covered entity or business associate. Employees who discover a HIPAA violation but do not report it are usually subject to penalties by the covered entities.
Any HIPAA breach should be reported to your Covered Entity if you are a Business Associate. To determine whether to notify OCR of the situation, the Covered Entity will conduct a risk assessment to determine the “probability of compromise,” if necessary.
How Does HIPAA Violation Reporting Work?
Your complaint will be investigated after you file it. OCR notifies the complainant and the entity that received the complaint when the complaint has been accepted for investigation.
The covered entity and the complainant are then encouraged to submit any information regarding the complaint’s issue or event.
OCR may ask both parties for specific information to obtain an accurate picture of the facts. Such investigations require cooperation from covered entities. After the investigation is done, the OCR will send a letter with its findings. The medical practitioner must promise to comply with HIPAA and take appropriate action if it is determined that the regulations were not followed.
OCR typically investigates HIPAA violations 180 days after receiving notification, even if some violations require immediate action.
Is There a Penalty for HIPAA Violations?
The Privacy Rule imposes clear penalties for failing to protect patient privacy as a federal regulation. A $100 fine per instance is imposed for the first violation and $200 for each subsequent violation. The health care organization will be assessed $1,000 for each repeat offense if it does not fix or report the breaches within 60 days of discovery. Both employees and employers are subject to these fines.
Afterward, what happens?
You will have to wait for the OCR to complete an investigation if one is launched. There will be a handful of consequences if the organization discovers that the party in question violated HIPAA regulations. It must:
- Correct their mistake as soon as possible
- Ensure HIPAA compliance in the future
- Set up a reasonable compensation plan for those affected
Businesses or entities that fail to comply with OCR’s requirements may be penalized by the organization. In situations where there is sufficient evidence against the entity, it is unlikely they will overturn the decision if they request a review from a judge.