Home » Blog » Reporting HIPAA Violations FAQ

Reporting HIPAA Violations FAQ

Every medical practice must remain HIPAA-compliant at all times to avoid stiff financial penalties for violations. HIPAA regulations change regularly, making it difficult to prevent common violations from occurring. Reporting these violations may come with questions, like those that follow.

The Health Insurance Portability and Accountability ACT (HIPAA) was created in 1996 to protect the health information of Americans. Violations occur when health organizations and businesses fail to safeguard their patients’ private medical records. Employees should report suspected and known violations.

HIPAA violations are serious transgressions. Reporting violations is important since it helps protect others from being affected by the same HIPAA breach. Navigating the complex world of HIPAA violations can be overwhelming; because of this, it is important to know how to report them.

Firstly, healthcare workers should be aware of the most common HIPAA violations in order to report them should they occur. HIPAA violations should be reported by the employee to either an employer or to the Department of Health and Human Services (HHS).

sue for medical data breach


What are common HIPAA violations?

Keeping patients’ personal health information secure is a priority. Medical records should be kept locked in a desk, cabinet, or office. Digital files must be encrypted or require secure passwords to access. When health information is left unsecured, a HIPAA violation has occurred.

Hacking of patient medical data is a realistic threat, one that has occurred numerous times. Medical practices must protect their patients’ private health information from malicious cyber criminals. Using updated antivirus software, firewalls and strong passwords help prevent this type of HIPAA violation.

Medical facilities can be fined $650,000 when an employee’s device containing patient information is lost or stolen. Sensitive information, such as patient social security numbers, treatments, diagnoses, and medications can be stored on devices and accessed without encryption or passwords.

Hefty HIPAA fines come with gossiping about patients’ personal health information. Discussing patients’ private medical data with co-workers at the water cooler is a HIPAA violation. All patient medical records should only be shared with appropriate personnel and behind closed doors.

Similarly, discussing patients’ private healthcare information with third parties who do not have the right to access it is a direct HIPAA violation. Even if patient information is inadvertently released to the wrong party, it comes with the same consequences as intentional misconduct.

Employees may try to access patients’ private health information without the authorization to do so. Regardless of whether the intent was malicious or done out of curiosity, the action is a HIPAA violation that comes with punishment. Employees should undergo thorough training to avoid such violations.

Training should also be conducted to prevent employees from improperly disposing medical records—an act that can result in a HIPAA violation if the data gets into the wrong hands. Medical information should be shredded, destroyed, or wiped from a hard drive to prevent wrongful access.

data breach lawsuit


How does an employee report a HIPAA violation?

Employees who become aware of a HIPAA violation have multiple avenues to report it. One is through an internal channel, such as the company’s human resources department or a compliance officer. These departments take reports seriously and are trained to respond appropriately.


How do covered entities report a HIPAA violation?

Patients who believe their privacy was violated may lodge a complaint against the medical practice or other covered entity. When this occurs, the organization is bound to investigate the incident. An internal investigation may be conducted, or an outside firm can be hired to do so.


How do patients report a HIPAA violation?

External reports of violations may be directed to the Department of Health and Human Services Office for Civil Rights, which enforces HIPAA regulations. Patients may send an email to the OCR complaint portal at OCRCompliance@hhs.gov. The organization can also help with questions regarding privacy.

When reporting to the HHS Office of Civil Rights, it’s important to include sufficient details about the incident or violation to allow the department to start an investigation or follow up. Individuals who report a violation against a covered entity are federally protected from retaliation.


How are anonymous HIPAA violations reported?

Anonymous reporting may be done when an individual is concerned that their HIPAA privacy rights have been violated. A complaint form listed on the HHS Office for Civil Rights website should be filled out; alternately, the individual can call 1-866-633-6472 to make an anonymous report.


How soon should HIPAA violations be reported?

HIPAA violations must be reported within 180 days of the incident to allow the HHS to efficiently investigate or sanction violating healthcare organizations or other covered entities. This time period gives them time to take corrective action and prevent future violations.

If HIPAA violations are reported outside of the 180-day window, then the HHS can only conduct a compliance review of the organization’s HIPAA practices or refer the individual to law enforcement authorities. The outcome may result in financial penalties against the offending entity.


How Anderson + Wanca Law Firm Can Help

Healthcare information should always be kept secure. However, as more data is continually stored on computer systems and cloud storage platforms, the risk for data breaches grows. When you learn that you have become a victim of a data breach, consult the attorneys at Anderson + Wanca.

We are a law firm that provides legal assistance to people who have become victims to a data breach. Our knowledgeable lawyers investigate the breach, handle legal claims, initiate a class action lawsuit or explore your options for being awarded financial compensation.

Data breaches are serious offenses, especially since they can affect an individual years after the initial cyber-attack. Identity theft, stolen credit card information, compromised bank accounts, health insurance penalties, and stolen biometric data are examples of how data breaches can affect you.

These threats are the reason victims of data breaches should come forward and take legal action against the company that allowed the breach to occur. Anderson + Wanca can help you reach a fair settlement. Call our Rolling Meadows, Illinois, location for a free consultation with our data security attorneys.