How do you Report a HIPAA Breach?

It is of the utmost importance that all members of staff in organizations with activities relating to healthcare provision or health insurance coverage are aware of what their duties and obligations are under the Health Insurance Portability and Accountability Act, more commonly known as HIPAA, and that they would be able to report a breach of these obligations or a dereliction of duty should they discover such a thing.

To ensure all employees understand their role in upholding HIPAA and following the rule of law, training should be given to staff on their arrival or shortly after they commence their position. Topics that should be covered include recognizing HIPAA violations and learning how to report them to the appropriate designated internal contact person, who is often a supervisor or a dedicated HIPAA compliance officer. This person will in turn need to judge whether the violation must be reported to the regulatory authorities responsible for HIPAA; the Department of Health and Human Services’ Office for Civil Rights (OCR).

HIPAA violations should quickly be investigated by the company to assess the scale of the problem, to ensure that any faulty process or procedure is corrected, and to make sure any additional training is given, as appropriate. If the violation that was discovered involves a business associate, then they too must be investigated. Only by thoroughly and methodically reviewing the breach can the covered entity be sure that they have taken the appropriate action to minimize risk to patients and sufficiently secure their Protected Health Information (PHI). Violations or breaches must be reported as quickly as possible to allow for the best chance of preventing or reducing damage.

Internal Processes to Report Breaches

If an employee suspects that a HIPAA violation is occurring or has occurred, they should notify their supervisor or the compliance officer. Even accidental violations should be reported. Generally, it is understood that mistakes will be made despite precautionary measures so this type of incident potentially will not carry any penalties. An investigation should still be undertaken however, to determine whether better procedures could prevent similar accidents and to verify that no other violations had occurred.

Breaches are reportable to the OCR largely depending on how many people are affected and how much control the covered entity had over the situation. Accidental breaches imply low control and often impact only a very small number of patients. As such, they may not require formal breach notifications to be issued.

Reporting Breaches to the OCR

Employees do have the right to report suspected breaches or violations directly to the OCR. Patients may also report HIPAA concerns in this manner. The OCR have created an online complaints portal through which reports can be made. While this can be undertaken anonymously, the OCR will only investigate if name and contact information of the complainant are provided.

HIPAA violations do not automatically mean heavy fines; the OCR has often resolve issues by issuing technical guidance and giving companies the opportunity to comply voluntarily. This is yet another reason why people should not hesitate to report suspected HIPAA breaches.