How To Report Hipaa Violations

The HIPAA acronym refers to the Health Insurance Portability and Accountability Act. It is a 1996 law that brought about several important health insurance reforms. Its most important sections deal with patient privacy laws. Equally as important is the patient’s right to complain if they feel that their privacy has been breached.

What Privacies are Protected by HIPAA?

Every time a patient visits a medical office, notations are made in their records. These notes deal with diagnosis, treatment and prognosis for every condition. All of this information is considered confidential under HIPAA. Moreover, the patient’s name, address, phone number, Social Security number and any other identifying data are also strictly private. When this information is breached or leaked, whether willfully or accidentally, this is a violation of the patient’s right to privacy.

How to File a Complaint

The OCR Complaint Portal, a component of the website of the Office for Civil Rights at, is the best place to file a complaint. Alternatively, a packet of forms may be downloaded from the website and mailed, faxed or emailed to the same entity. The complaint must be filed in writing, and the forms provided by OCR make this an easy task. Complainants are walked step-by-step through the process in which they must name the health care provider or entity that they believe violated HIPAA privacy regulations. They must also fully describe the alleged breach, being as complete as possible and providing as many details as are available. A timeline of 180 days for filing is typically enforced, and begins running from the day on which the complainant became aware of the violation.

What Happens After a Complaint is Filed?

The Office for Civil Rights must first decide whether or not to investigate a claim. They may not investigate if the complaint is filed beyond the 180 day time period. If they do investigate, they will inform the entity or individual against which the complaint was filed. At the conclusion of the investigation, the OCR may simply close the complaint if they find it baseless. Otherwise, the complaint may be resolved informally such as with a corrective action plan or formally with a monetary penalty. The complainant is informed about the outcome of the investigation. It’s important for complainants to understand that health care providers are prohibited from retaliation against the person filing the complaint, regardless of the outcome of the investigation.

More On This Topic

Comments are closed.