How to Report a HIPAA Violation

In 1996, the world of healthcare began a series of reforms. Chief among these was the Health Insurance Portability and Accountability Act. This act, otherwise known as HIPAA, protects patient privacy not only at the doctor’s office, but in workplaces, schools and other areas as well.

HIPAA created security measures to protect patient information and records that are stored electronically. In our modern world of medicine, records are accessed frequently and medical forms are filled out and filed in many situations. This leaves many areas where a HIPAA violation may occur.

If you believe your medical information has been compromised, you can report a HIPAA violation to protect your interests.

As you begin the HIPAA violation reporting process, be sure to keep some key requirements in mind:

• You should document and keep a copy of all paperwork and complaints for your own records.
• You are protected from retaliation by federal law. Report any retaliatory action immediately to the Office of Civil Rights.
• You must report a HIPAA violation within 180 days of when you know the violation occurred.
• You have a choice in HIPAA violation reporting. You can file a report online or in writing, but the Office of Civil Rights, or OCR, is considered the best place to report a violation.

What is Protected by HIPAA?

Every visit to the doctor’s office creates new records in your collective medical file. The notes in your medical files deal with diagnosis, treatments and the expected recovery or outcome from procedures and treatments.

This information is the type of medical detail considered confidential. HIPAA also protects your name, address, phone number, Social Security number and any other data that would identify you. When any of this information is leaked, either by accident or intentionally, your right to privacy has been violated and you have grounds to report a HIPAA violation.

It is worth noting that not every entity is covered by HIPAA. Not every organization must follow the rules laid out by HIPAA. If an organization is not bound to follow HIPAA laws, they cannot create a violation. When beginning your HIPAA complaint, be sure that the entity you are complaining about is a “covered entity” or your claim cannot be investigated. Covered entities include:

• Doctors
• Dentists
• Psychologists
• Chiropractors
• Hospitals and Clinics
• Nursing Homes
• Pharmacies
• Health Insurance Companies
• Company Health Plans
• Government healthcare programs like Medicaid or Medicare

The Office of Civil Rights will not investigate a claim made against a “non-covered entity” like the following:

• Employers
• Life Insurance companies
• Worker’s compensation
• Most school districts
• Most state agencies
• Many municipal officers

Additionally, there are guidelines that covered entities must use to adequately protect your information. HIPAA Privacy Rule regulates who may legally see or receive your healthcare information. Covered entities who use electronic files must store your medical information using appropriate security measures. The following elements of your healthcare visits are covered by HIPAA regulations:

• Information placed in your medical files by a healthcare provider.
• Conversations about your health with other medical professionals about your care or treatment.
• Personal information
• Billing information

Investigations under HIPAA are complaint-driven. Once you file a complaint through the online portal for Office of Civil Rights, the OCR will review the complaint for validity and completeness before it is processed.

How to Report a HIPAA Violation

The first step in resolving a HIPAA complaint is knowing how to report a HIPAA violation. The Office of Civil Rights is in charge of handling HIPAA violation reporting. There is an online reporting portal through the OCR website called the OCR Complaint Portal. Alternatively, you can report a HIPAA violation by downloading a packet from the OCR website. The packet can be downloaded, completed and returned to the OCR offices by mail, fax or email.

Regardless of how you report a HIPAA violation, you will be asked for the same information – the name of the health care provider or entity that violated the HIPAA privacy regulations. You must also describe the offending incident in full detail covering as much as possible. Finally, the report must be filed within 180 days of when you become aware of the HIPAA violation.

Downloading the HIPAA Complaint Packet

The most common way to file a HIPAA complaint is to download the complaint packet from the OCR Complaint Portal. Once at the portal, you can download the packet to begin the process or get the packet in PDF from this link.

Once you’ve opened the PDF form of the document, you can print the packet and begin filling out the required pages. There are eight pages inside the HIPAA complaint form. The first two pages are used to actually report the HIPAA violation. The third and fourth pages include a consent form where you give the Office of Civil Rights permission to access your personal information. The final four pages provide information on what may happen as your claim is investigated including where your information will be used and disclosed.

Personal Information

As you fill out the HIPAA complaint packet, you can expect to include your personal information including your name, address and contact information like a phone number and email address. You may also complete the form on behalf of someone else.

Identify the Complaint

When you reach the section about the actual violation, be specific and thorough in your description of what actually occurred. You will be asked to provide the name and address of the entity where the violation occurred as well as the specific acts that caused the violation. You will be asked for the date of the violation as well.

In this part of the HIPAA complaint packet, it is important to be as detailed and specific as possible. Avoid legalese and complex terms that may make it hard for a reader to understand the specifics of the situation. Write down the sequence of events that led to the violation and how that violation has affected you. It is possible to add additional pages as necessary.

Optional Information

In the HIPAA complaint packet, the second page is optional. On this page, you can identify the special needs that may be able to affect communication with the Office of Civil Rights. You may include alternative communication options and, if you choose, you may answer questions about your ethnicity and other areas where you might have filed the complaint.

Consent Forms

The third and fourth pages of the HIPAA violation packet are consent forms. These forms give OCR the right to access and reveal personal information about you and your medical history during the course of their investigation. While it is optional to complete the consent forms, it is unlikely that your complaint will be investigated without having a signed consent form. It is challenging to investigate a medical information complaint without accessing medical information about the person making the complaint.

Complete the HIPAA Packet

You will sign both the information pages and the consent pages to complete the HIPAA packet. Be sure to read the additional disclosures that are included in the packet on the last four pages to understand how things will proceed once you submit your complaint formally.

Submit the Complaint

Once you have completed the complaint packet, you can submit the completed forms in several ways. You may print the forms and send them via post to the regional OCR office in the area where the incident occurred. You may also send a digital version of the completed, signed forms to the OCR through email. Emailed forms should be sent to OCRComplaint@hhs.gov.

File a HIPAA Complaint Online

You also have the choice to file a HIPAA complaint electronically using the OCR Complaint Portal. The Administrative Simplification Enforcement Tool, or ASET, is the online portal used by the OCR to register and store information about the online HIPAA complaints.

Initial Questions

The portal will guide you through the complaint process by offering choices about the type of complaint you are making and the timeframe of the incident. In order to use the ASET system, you will also be required to set up a username and password for the system. This is part of the initial set-up in the ASET system as you begin to file an online complaint.

Contact Information

You will be asked to provide additional information including your personal details and contact information. Your personal information is stored in the ASET computer system, but it is important to note that you do have the option to remain anonymous as you make the complaint.

Violation Details

You will be asked to type a summary of events that occurred that created the HIPAA violation. Be as specific as possible during this summary of events and avoid complicated language. You will be asked if there is additional information you can provide that may help the OCR as they investigate and review your complaint.

Submit and Print

Finally, when you have finished all of the screens in the online HIPAA violation form, you will submit the form online. You will be given an opportunity to print your form after submitting it. It is strongly recommended that you do so. This way you have a copy of your complaint in your own records.

Complain in Writing to the OCR

There is a third way to submit a HIPAA violation. You may choose to write your own letter detailing the HIPAA violation and submit it to the OCR regional offices in the same way you would submit the official packet. These letters can be emailed or mailed to be officially submitted.

If you plan to write your own letter about a HIPAA violation, be sure to include the following details:

• Your contact information including your name, street address, telephone number and email address.
• The contact information for the entity you are accusing of violating the HIPAA laws including name, street address and telephone number.
• A description of the violation that occurred including specific details about the timing, the method and the actual activities that created the HIPAA violation.
• Your signature and the date you signed the letter.

It should also be noted that you may submit a complaint letter on behalf of another individual. You must note this, however, and include the other person’s name in the written letter.

What Happens After You File Your HIPAA Complaint?

After you have filed your HIPAA complaint either by packet, online or by written letter, the Office of Civil Rights and the Centers for Medicare and Medicaid Services (CMS) will review your claim to see if the incident you are describing constitutes a violation. A HIPAA violation can only occur in an entity covered by HIPAA legislation and should include a breach of HIPAA requirements. Entities like a doctor’s office or insurance company are legally required to do the following to protect your medical information:

• Establish safeguards and not disclose your health information improperly
• Use your medical information only when necessary.
• Have established procedures to limit your medical information.
• Train employees on protecting your health information.

HIPAA legislation also requires companies to allow you access to your own medical information. Under HIPAA you should also have the following rights that may be breached in a HIPAA violation.

• You may ask to view or have a copy of your health records.
• You may have your health records corrected as needed.
• You should receive a notice about how your health information is used and shared.
• You may decide if your health information may be used for additional purposes like marketing.

If CMS finds that your claim is verified and all contact information for both parties is correct, the complaint will be officially opened. CMS will then contact the entity you are filing a grievance against to notify them of your claim in writing.

A follow-up letter is sent that includes information about how the grievance will proceed, but time is allowed for the company in question to conduct an internal investigation and develop a response to your complaint. All of the information tied to your complaint and the company response are housed in the ASET system where the digital complaint originated.

As the CMS and OCR are investigating they may close out your complaint if the activity is more than 180 days old or if they find the grievance to be baseless.

If the investigation does find in your favor, the situation may be resolved informally with a corrective action plan. In some cases, the situation is resolved formally with a monetary penalty levied against the company responsible for the HIPAA violation.

You will be informed about the outcome of the investigation. You should also be free from retaliation stemming from the complaint and investigation, regardless of outcome.

Finding Support Online
While there is no substitute for filing an official grievance, you may be able to find others online who have shared experiences. PissedConsumer frequently receives CareCentrix reviews, United Healthcare complaints and Kaiser Permanente reports. Knowing that a company might have had previous instances of alleged HIPAA violations may be information that you can use in your own decision making.