HIPAA violations should be reported internally to the HIPAA Covered Entity or Business Associate privacy official, security official, or compliance reporting channel, and externally to the U.S. Department of Health and Human Services Office for Civil Rights when a complaint is filed with the regulator.
Internal Reporting Within The Organization
Workforce members should report suspected or known HIPAA violations through the organization’s documented reporting process. Reports commonly go to the designated privacy official for matters involving the HIPAA Privacy Rule and to the designated security official for matters involving electronic protected health information under the HIPAA Security Rule.
Reports should be made promptly so the organization can investigate, mitigate harm, stop impermissible uses or disclosures, and complete any required actions under the HIPAA Breach Notification Rule.
Reporting By Patients And Other Individuals
Individuals may report suspected HIPAA violations to the HIPAA Covered Entity privacy official using the complaint process described in the organization’s notice of privacy practices or other published procedures.
Individuals may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights. The Office for Civil Rights evaluates complaints and may initiate an investigation or compliance review.
Reporting When Business Associates Are Involved
Business Associates should report suspected violations and security incidents through internal reporting channels and in accordance with Business Associate Agreement requirements. When an impermissible use or disclosure or a security incident involves protected health information, reporting to the HIPAA Covered Entity must occur within the timeframes specified in the Business Associate Agreement so the HIPAA Covered Entity can meet obligations under the HIPAA Breach Notification Rule.