How to Report a HIPAA Violation: The Complete Guide

How to Report a HIPAA Violation: The Complete Guide


Many companies are required by law to it here to the standards of the Health Insurance Portability and Accountability Act (HIPAA). This aims to protect a patient's medical records and other sensitive information.

If the company commits a HIPAA violation, it's essential to report it. But, not everyone knows how to go about it.

Not sure where to start? Don't worry, we've got you covered.

Let's take a look at everything you need to know about how to report a HIPAA violation.

What's the Point of Reporting HIPAA Violations?

Since patient healthcare information is sensitive data, it's imperative that those who notice a violation of HIPAA terms to report it as soon as possible.

For instance, let's assume that a medical facility did not follow the proper procedure for securing patient records. This information would be vulnerable to being obtained by a third-party, which could cause numerous complications in some scenarios.

If a patient does not wish to disclose certain medical conditions (such as HIV) to anyone other than hospital staff, they have the right to do so. A HIPAA violation could result in severe emotional distress.

On the other hand, compromised information also puts the victim at risk of the same consequences that come with identity theft. Since full names, Social Security numbers, birthdates, and addresses are all stored at facilities that must be HIPAA-compliant, they are often highly sought-after targets for criminals.

Properly reporting violations will ensure that the issue gets resolved appropriately in a timely manner.

How Can You Go About Reporting Them?

It should be noted that most Hyppa violations are either caused by a misunderstanding of the law or by a mistake that was made by an employee.

In order to bring attention to an entity or corporation that is violating HIPAA regulations, you'll need to file a complaint with the Office for Civil Rights (OCR). Keep in mind that your own rights aren't required to be infringed upon in order for you to file a complaint the issue could involve a separate party entirely. 

The organization takes every complaint it receives seriously. In order for the OCR to take action for the violation, one of two criteria need to be met:

  1. Your complaint was filed within six months of the time at which the violation occurred
  2. A business associate or business entity that's required to maintain HIPAA compliance violated your rights

If it was your decision to take action as a result of the complaint, the organization will launch an investigation.

What Are Common Types of Violations to Keep an Eye out For?

Unfortunately, HIPAA regulations are often violated without anyone knowing at all. It doesn't take blatant action in order to put someone's private information at risk. Additionally, since HIPAA regulations are constantly changing, a business that was compliant six months ago may not be compliant today.

As you may expect, this can easily result in significant issues for both the facility and its patients.

Let's take a look at a few of the most notable.

Employee Indiscretion

This is one of the most common ways that HIPAA regulations are violated. This could include situations where information is improperly disclosed to third parties, employees not being properly trained on how to handle confidential information, etc.

Even a scenario where two employees who are discussing a patient's medical condition are overheard by another person is considered a violation of HIPAA regulations.

Disposing of Records Improperly

All records containing sensitive patient information must always be kept in a secure location. This means they should be locked away in desks, filing cabinets, etc.

Any digital files should be secured with passwords (and also kept on a secure device). When this information is disposed of, it must be permanently destroyed and made inaccessible to anybody else.

Unsecured Data

When it comes to digital information, encryption offers an additional layer of security that can prove to be a lifesaver in the event that a database is hacked, someone has access to the files, etc.

While encrypting data isn't directly required by HIPAA's regulations, it's strongly recommended in order to prevent any complications from arising in the future.

What Happens Afterward?

If an investigation is launched, you'll have to wait for the OCR to complete it.

If the organization is able to determine that the party in question was in violation of HIPAA regulations, there will be a handful of consequences. The party must:

  • Correct their indiscretion immediately
  • Ensure compliance with HIPAA regulations in the future
  • Agree to compensate the affected parties through a reasonable settlement

In the event that the business or entity does not comply with the OCR and its requirements, the organization may impose financial penalties on the party responsible for the infraction. Although the entity can request a review from a judge to determine if the financial penalties are justified, they are unlikely to overturn the decision if there is supporting evidence against their violation.

Knowing how to report a HIPAA violation Can Seem Difficult

But it doesn't have to be. With the above information about how to report a HIPAA violation in mind, you'll be well on your way toward taking the necessary action as soon as possible.

Want to learn more about how we can help? Feel free to contact us with us today to see what we can do.


For 2022 Rules for Healthcare Workers, please click here.

For 2022 Rules for Business Associates, please click here.