There are a few ways to report a suspected HIPAA violation to the Office for Civil Rights (OCR).
At HIPAAgps, we try to provide as much information as possible to reduce the risk of HIPAA violations. We also suggest that employers foster an open policy where employees can report those HIPAA violations to management. However, there are times where an employee is uncomfortable speaking to a manager. That’s why the OCR provides everyone the ability to report a suspected violation anonymously.
The OCR will only investigate incidents within 180 days of discovery, meaning incidents from five years ago likely won’t be investigated. An extension may be granted if there appears to be ‘good cause’ that the incident couldn’t be reported within 180 days of discovery. Additionally, the OCR won’t investigate incidents before the Privacy Rule and the Security Rule went into effect.
The OCR has set up this complaint portal online. There is a virtual assistant on the portal that helps the complainant determine if the OCR will likely investigate the incident. This portal also provides information on how to contact the OCR if there are additional questions or if special assistance is required.
If submitting a complaint online is not an option, there is a form that can be filled out and sent by email, fax, or postal service.
It’s important to note that individuals who want to anonymously report an incident must give the OCR their name and contact information for the incident to be investigated; however, they can specify on the consent form that they would like for their name and information to be kept confidential. So, an employee may submit his or her name and contact information, and request that the OCR not reveal this information to the organization being investigated. This will provide more protection for the complainant and ensure there is an investigation.
Additionally, the OCR states that retaliatory actions are illegal, and if that occurs, it should be reported to the OCR immediately.
To learn what might constitute a HIPAA violation, join HIPAAgps.