Following a breach of unsecured protected health information, HIPAA covered companies and their business associates are required to notify the appropriate authorities in accordance with the HIPAA Breach Notification Rule, 45 CFR 164.400-414.
According to section 13407 of the HITECH Act, vendors of personal health records and their third-party service providers are subject to the same breach notification rules that the Federal Trade Commission (FTC) has implemented and is enforcing.
How to Report a HIPAA Violation
All employees working in the healthcare and healthcare insurance sectors should be aware of what a HIPAA violation is and how to report one.
The Covered Entity’s HIPAA training should cover what a HIPAA violation is, how to report one, and who to submit it to.
That person is then in charge of deciding whether or not to report the violation to the Department of Health and Human Services’ Office for Civil Rights (OCR).
HIPAA Covered Entities and, where applicable, their Business Associates are required to conduct internal investigations into any potential HIPAA violations in order to assess the seriousness of the violation, the risk to the affected individuals, and the timeliness of corrective action.
The sooner a possible HIPAA violation is identified, the simpler it will be to contain any potential damage and stop subsequent HIPAA Rule violations.
Reporting HIPAA Violations Internally
A supervisor, the organization’s privacy officer, or the person in charge of HIPAA compliance in the company should be informed when healthcare or insurance professionals suspect a HIPAA breach has taken place.
Even when staff exercises extreme caution, accidental HIPAA infractions still happen. Internal investigation will be required to determine if the HIPAA complaint qualifies as a reportable breach under the HIPAA Breach Notification Rule.
Minor mistakes are done in good faith or situations where PHI has been revealed and there is little chance that knowledge of PHI will be preserved are examples of minor incidents that frequently are so unimportant that they do not call for notifications to be sent out.
You should report HIPAA violations right once if you have made a mistake, unintentionally saw a patient’s PHI that you are not allowed to see, or if someone else in your organization is suspected of breaking the law. If later discovered, the failure to do so is likely to be perceived negatively.