HIPAA Violation Reporting: How Does It Work?
In the modern world, it is virtually impossible to get medical treatment without disclosing a lot of private information. What happens to that information — kept by doctors' offices, hospitals, pharmacists and other medical professionals with access to patient data — is regulated by the government through the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to protect the patient's privacy, safety and security.
And yet, instances of data breach happen in medical institutions, sometimes maliciously but more often by accident. Read on to learn more about what HIPAA violations are and how one can report a HIPAA violation as a patient or a medical professional.
What Is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a set of national standards, enforced by the Office of Civil Rights, that ensure the physical and electronic safety and confidentiality of the medical patients' protected health information (PHI) within the health and human services (HHS) industry when using, storing, sharing, or transmitting this information.
A patient's PHI consists of the following pieces of personally identifiable information (as well as any other special characteristics/numbers by which a patient can be individually identified):
- Name and contact information
- SSN
- Health plan beneficiary number
- Medical record number
- Personal dates (e.g. hospital admission/discharge, birth/death, etc.)
- Drivers license number
- Device identifiers/serial numbers
- IP address and web URSs
- Biometric identifiers (e.g. fingerprints, voiceprints, retinal scans, etc.)
- Full-face photos
- Handwriting and signature
Principal HIPAA Rules
The main HIPAA regulations concerning PHI data breach go as follows:
HIPAA Privacy Rule
The HIPAA Privacy rules regulate the use and the disclosure of PHI by professionals within the health and human services, strictly limiting who can access this information, whom it can be shared with — and under what conditions.
HIPAA Security Rule
The HIPAA security rule protects how PHI is stored — from unlawful hacks and other malicious intrusions — via administrative, technical and physical safeguards.
Breach Notification Rules
These rules enforce the requirement that, as soon as a medical professional learns of HIPAA security/privacy breaches that affected 500+ individuals, they must, without delay, notify the affected individuals, as well as the U.S. Department of Health & Human Services' Secretary of breaches.
Who Is Responsible For Upholding HIPAA Rules?
HIPAA regulations apply to healthcare organizations, agencies and individuals working within the health and human service industry, falling under the category of covered entity or business associate:
Covered Entities
This applies to health care providers (medical clinics, doctors, psychologists, chiropractors, dentists, pharmacies, nursing homes); health plans (insurance companies, HMO's, company health plans, and government plans like Medicaid, Medicare, and veteran health care programs); and health care clearinghouses (services that re-format nonstandard health information).
Business Associates
An HHS business associate involved with a covered entity is a company usually assisting in some administrative capacity (e.g. claims processing, data analysis, quality assurance, utilization review, billing, pricing, etc.)
Different HIPAA Violations
Some HIPAA violations carry dire harm, though the majority of accidental small errors made in good faith come and go without doing any damage or being noticed. Most HIPAA violations occur not due to criminal attacks but owing to negligence or ignorance on behalf of those handling sensitive patient data (which is why staff training is so incredibly important!)
Among the most common "accidental" offenses against HIPAA rules are:
Improper Disposal Of Records
Medical offices are required to store medical records securely — and to destroy them upon disposal: these procedures are not always adhered to.
Unencrypted Data
Though HIPAA does not technically require it, it is highly recommended to encrypt sensitive patient data. Institutions that don't are vulnerable to hacks (if the PHI is breached by hackers, they may become legally liable for failing to secure it).
Employee Imprudence
By far the most common (and easiest to prevent with training) HIPAA violation happens when employees openly discuss patients' PHI with each other and within earshot of unauthorized parties without paying attention/remembering that it's confidential.
Who Can Report A HIPAA Violation?
Medical patients who feel that their HIPAA rights have been violated — as well as employees within the "covered entities" and their "business associates" who have observed a HIPAA violation at work — can file a HIPAA complaint.
Reporting HIPAA Violations
If privacy, security, or breach notification rules have been violated, there are ways to file a HIPAA complaint of a violation internally within the company and externally with the U.S. Department of Health & Human Services' Office For Civil Rights (OCR).
HIPAA Violation Reporting For Employees
When an employee of the HHS industry catches a HIPAA violation, the reporting procedure varies by the organization. In one workplace, the protocol may be to verbally report the violation to immediate supervisor/manager; in another office, it may involve filing a written complaint with the company's Privacy/Security Officer.
If the situation is not addressed internally to the employee's satisfaction and in a timely manner, it is possible to escalate the report to the Department of Health & Human Services' Office for Civil Rights (OCR) (and, in grave cases, through the courts, or to the State Attorney General).
If the workforce member chooses to deny consent in the consent graph at the bottom of the complaint form, the OCR will not disclose their personal information to the covered entities/business associates, if the case goes under investigation (at any rate, it is unlawful for companies to take retaliatory action against their own employees for HIPAA violation reporting!)
HIPAA Violation Reporting For Patients
Patients who believe their HIPAA rights have been violated can lodge a report with the OCR by mail, email, fax — or file a complaint online through the OCR complaint portal.
(Patients who believe they have witnessed a HIPAA violation not related to their own PHI — as well as health and human service workers reporting a HIPAA violation they had observed on the job — can use a secondary complaint portal in filing a complaint with the OCR.)
Filing the complaint online, one needs to include:
the name of the individual filing the complaint
the name of the covered entity/business associate the complaint is being filed against
a detailed description of the acts or omissions that are believed to have violated any of the HIPAA security/privacy/breach reporting rules
The complainant has 180 days from the date the HIPAA violation occurred to file a complaint although, in some cases, the OCR may extend the statute of limitations, if "good cause" can be demonstrated.
What Happens After A Complaint Is Filed?
The primary enforcer of HIPAA or OCR will launch an investigation of the alleged violation and, if it finds the named covered entity/business associate in violation of HIPAA regulations, it will determine the verdict.
If it can be demonstrated that patients were negatively affected by the privacy breach, the guilty party may be expected to pay a reasonable settlement to the affected parties, in addition to correcting the problem immediately.
If the HHS organization fails to comply with OCR's ruling and requirements, more financial penalties will be imposed.
Preventative HIPAA Compliance Is Key!
Not all OCR investigations into companies violating HIPAA regulations result in government fines or civil suit payouts (though some do). More often, the issue is resolved through voluntary compliance, technical improvements, or the covered entity/business associate agrees to take corrective action to ensure HIPAA compliance in the future.
The success to HIPAA compliance lies in preventative measures, namely:
Developing a robust HIPAA compliance checklist (and sticking to all the protocols in it)
Educating the HHS workforce to understand HIPAA rules and take them seriously as part of their professional training
Make EasyLlama's user-friendly, mobile-optimized program take care of your HIPAA compliance training needs!
Written by: Maria Malyk