There is no one-size-fits-all HIPAA violation reporting process because different organizations have different policies and procedures for reporting HIPAA violations, while the process for reporting violations to HHS´ Office for Civil Rights varies according to the nature of the violation and who is making the report.
There are many different types of HIPAA violations, but some are not as serious as others. For example, the failure to send periodic security reminders (an implementation specification of 45 CFR § 164.308) is a HIPAA violation, but it is unlikely to have as serious consequences as the theft of an unencrypted laptop containing the ePHI of twenty thousand patients.
Consequently, a single Covered Entity or Business Associate may have several HIPAA violation reporting processes depending on the nature and potential severity of the event. Similarly, the HHS´ Office for Civil Rights – the HIPAA enforcement agency – has three reporting processes through which organizations, members of the workforce, and patients can report a HIPAA violation.
HIPAA Violation Reporting by Employees
When a HIPAA violation is identified by a member of a Covered Entity´s or Business Associate´s workforce, the reporting process is determined by the organization´s HIPAA policies and procedures. Some organizations´ policies require a verbal report to an immediate supervisor or manager, while others require the violation to be reported in writing directly to the organization´s Privacy or Security Officer. In some cases, the recipient of the report depends on the nature of the violation.
Some organizational policies include a process for escalating HIPAA violation reporting. Typically, if the immediate supervisor fails to address the violation, the report should be escalated to the Privacy or Security Officer. If the violation remains unaddressed, the report should be escalated to the HHS´ Office for Civil Rights. It is also possible to escalate reports to State Attorney Generals or through the courts by bringing a qui tam action against the Covered Entity or Business Associate.
HIPAA Violation Reporting by Patients
Most patients´ knowledge of HIPAA is limited to the information provided for them in a Notice of Privacy Practices. Consequently, patients should be aware of their HIPAA rights and how to report a violation of their rights – most often to the Covered Entity´s Privacy Officer (whose contact details should be on the Notice of Privacy Practices) or to the HHS´ Office for Civil Rights through the online complaints portal. Complaints using these channels have to made within six months of the violation.
If a patient witnesses a violation unrelated to their rights, the HIPAA violation reporting process varies slightly. Reports can be made to the organization´s Privacy Officer as before, to the HHS´ Office for Civil Rights via a different complaint portal (for Privacy Rule violations and Security Rule violations), or to State Attorney Generals via State Departments for Consumer Protection. However, federal and state agencies may require evidence of the violation before initiating an investigation.
Reporting Data Breaches to HHS´ Office for Civil Rights
Covered Entities and Business Associates are not required to report HIPAA violations unless they result in unauthorized access to – or acquisition, use, or disclosure of – unsecured PHI. Most HIPAA violations of this nature must be reported to individuals affected by the data breach and to the HSS´ Office for Civil Rights, unless it can be shown there is a low probability PHI has been compromised based on a four-point risk assessment or an exception to the reporting requirements exists.
The manner of HIPAA violation reporting to HHS´ Office for Civil Rights varies according to the number of individuals affected by the data breach. For data breaches affecting more than five hundred individuals, Covered Entities must notify HHS´ Office for Civil Rights within sixty days of the breach being identified. For breaches affecting fewer than five hundred individuals, Covered Entities can report these violations of HIPAA to HHS´ Office for Civil Rights on an annual basis.
Why You Shouldn´t Delay Reporting HIPAA Violations
There are multiple reasons why members of the workforce, patients, and Covered Entities should not delay reporting HIPAA violations. One of the most pressing reasons for members of the workforce – and supervisors, managers, and Privacy Officers – not to delay HIPAA violation reporting is that, if reports are delayed, no action will be taken to address them, and violations could develop into “cultural norms” which will be harder to reverse.
For the same reason, patients should not delay reporting HIPAA violations – notwithstanding that they only have a six month window for making a complaint – while the consequences of Covered Entities failing to report HIPAA violations in a timely manner can be substantial. In 2019, Sentara Hospitals had to pay a fine of $2.175 million as part of a settlement for failing to notify the HHS´ Office of Civil Rights of a data breach affecting 577 patients.
The post HIPAA Violation Reporting appeared first on HIPAA Journal.