How Long Do you Have to Report a HIPAA violation?

by

The reporting timeframe for a HIPAA violation depends on whether the report is an internal workforce report, an external complaint to the U.S. Department of Health and Human Services Office for Civil Rights, or a breach notification required under the HIPAA Breach Notification Rule.

Internal Reporting Timeframe

Workforce members report suspected or known violations through the HIPAA Covered Entity or Business Associate reporting process. Internal policies typically require prompt reporting to support investigation, mitigation, and escalation to the designated privacy official or designated security official.

Complaint Filing Timeframe With The Office For Civil Rights

A complaint to the U.S. Department of Health and Human Services Office for Civil Rights is generally required to be filed within 180 days of when the complainant knew that the act or omission occurred. The Office for Civil Rights may extend the 180 day period when good cause is shown.

HIPAA Breach Notification Rule Reporting Timeframes

A breach of unsecured protected health information triggers notification duties under the HIPAA Breach Notification Rule after breach evaluation and determination.

Covered Entity notification to affected individuals must be made without unreasonable delay and no later than 60 calendar days after discovery of the breach.

Covered Entity notification to the Secretary of the U.S. Department of Health and Human Services follows two timelines. Breaches affecting 500 or more individuals require notice without unreasonable delay and no later than 60 calendar days after discovery. Breaches affecting fewer than 500 individuals may be logged and reported to the Secretary no later than 60 calendar days after the end of the calendar year in which the breach was discovered.

Business Associate Reporting Timeframe To The Covered Entity

A Business Associate that discovers a breach of unsecured protected health information must notify the HIPAA Covered Entity without unreasonable delay and no later than 60 days after discovery. Business Associate Agreements commonly require shorter notification periods than the HIPAA maximum, and the contract timeframe governs notice to the HIPAA Covered Entity.

Workforce Training And Reporting Readiness

All workforce members must receive HIPAA training. Annual HIPAA training is industry best practice. Training on HIPAA rules and regulations provides a foundation for workforce understanding before instruction on internal policies and procedures.

All staff in a HIPAA Business Associate must receive HIPAA training. All staff must receive security awareness training. Staff with access to protected health information must receive HIPAA training. Annual HIPAA training is industry best practice.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA