3 How To Report HIPAA Violations

(doylc.com) How to Report HIPAA Violations - The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") is a federal law that protects the confidentiality of patient health information/records and requires the enactment of security measures to protect electronically stored patient health information/records. If you believe your health information has been compromised in violation of HIPAA, you can file a complaint to report the violation.

• Reporting a HIPAA Violation

Get the form pack. The US Department of Health and Human Services Office of Civil Rights ("OCR") posts an OCR Health Information Privacy Complaint Form ready. You use this form to report a HIPAA violation by downloading it, completing it, and then submitting it to the appropriate authority.

Read through the package of forms. The form package consists of eight pages. Before you start filling out the form, you should take some time and read through the entire form package. You use the first two pages to actually report the HIPAA violation.

The third and fourth pages contain a consent form that you can fill out to authorize OCR to access your personal information while the office investigates your complaint.

On the last four pages you will find information about what OCR can do with your personal information, how it is protected and when it can be disclosed.

Provide identifying information. The top half of the first page of the complaint form requires you to provide information to enable OCR to determine who is reporting the HIPAA violation. You must provide your name, phone number, address and email address.

If you are completing the form for someone else, check the appropriate box and write that person's name in the appropriate section.

Provide information about the HIPAA violation. On the second half of the first page, you must identify who, when, and what the alleged HIPAA violation is. You must provide the name and address of the entity that you believe has committed the violation and the date of the violation. You must then briefly describe how the named entity violated your (or another person's) rights under HIPAA.

You should describe the nature of the violation as specifically as possible. You don't have to use complex legal language or refer to the HIPAA statute itself. Simply write down the sequence of events that you believe led to the breach, and then provide as much detail as possible about the breach and its implications.

If you need more space than provided, you can attach additional pages.

Provide optional information. The second page of the complaint form is completely optional. This part of the form asks you to indicate any special needs that may affect communication with OCR, allows you to provide an additional contact if OCR cannot reach you directly to discuss your report, asks if you Have submitted your complaint elsewhere and ask about your race/ethnicity and how you found out about OCR.

Complete all, some, or none of these sections as you see fit.

Sign and date the form. There is space at the bottom of the first page to sign and date the form. You must do this before submitting it.

Complete the complainant's consent form. The third and fourth pages of the form pack are consent forms that must be submitted along with the complaint form you just completed. Read the form and decide if you want to consent to OCR accessing your personal data and sharing it with certain companies during the course of the investigation. Then check the appropriate box related to your opt-in choice, enter your address and phone number, and sign and date the form.

Consent is entirely voluntary, but OCR warns that failure to provide consent can hamper and ultimately terminate the investigation.

Submit your complaint. After completing both the complaint and consent forms (again, the first four pages of the form pack), you have several options for submitting your complaint to OCR:

You can print the completed forms and mail or fax them to the appropriate regional OCR office (the OCR office in the region where the violation occurred). OCR provides a list of contact information for its regional offices online.

You can email the completed forms to OCR at OCRComplaint@hhs.gov.

• Using Alternative Methods for Reporting HIPAA Violations

Submit a written complaint. If you don't want to use the official forms that OCR provides on its website to report a HIPAA violation, you can simply write a complaint in your own format. Then submit the written complaint like the official form (by post or fax to the responsible state office or by e-mail). Your written complaint must contain the following information:

Your name, street address, phone number and email address.

Name, address, and phone number of the entity that you believe has committed the violation.

A brief description of the breach (specifically: the how, why and when of the breach).

Your signature and the date of the complaint.

If you are submitting the complaint on behalf of someone else, you must also provide that person's name.

Submit a claim online. You can also submit a complaint electronically via the OCR Complaints Portal. Open the portal, choose the type of complaint you want to make and answer the questions you're asked. You will provide identifying information, describe the nature of your complaint and provide other information that may assist OCR in investigating/verifying your complaint. Then simply click the button to submit your complaint.

You have the option of printing a copy of your complaint.

• Learn when to report a HIPAA violation

File a complaint against an “affected entity”. HIPAA doesn't require everyone to follow its rules. Only those entities that HIPAA considers “affected entities” are capable of such a violation. "Covered Entities" include healthcare providers, healthcare insurance companies and healthcare clearing houses. The following companies are generally required to comply with HIPAA and may therefore be OCRed for violation:

Doctors, psychologists, chiropractors, dentists.

Hospitals, clinics, nursing homes, pharmacies.

Health insurance companies, company health insurance companies.

Government health programs such as Medicaid or Medicare.

You know who you can't report. Just as there are certain companies that fall under the provisions of HIPAA, there are also those that are not bound by its rules and therefore cannot violate them. OCR will not investigate a complaint filed against the following organizations:

Employers, life insurers, professional associations.

Many schools/school districts.

Many government agencies, such as those dealing with child protection services.

Lots of law enforcement agencies.

Many municipal offices.

Know what information is protected. The HIPAA privacy rule protects your privacy by regulating who can see or receive your health information. The HIPAA security rule requires that any covered entity that stores your health information in electronic format has appropriate security measures in place to protect that information from unauthorized access. The following information is protected under HIPAA:

Information placed in your medical record by a healthcare provider.

Discussions your doctor has with other healthcare professionals about your care or treatment.

Billing data from your clinic and personal data from your health insurance company.

Find out what affected companies need to do to protect your data. HIPAA requires that covered companies take certain actions and take certain measures to ensure that your health information is protected from unauthorized access or disclosure. In particular, such a company must do the following:

Put safeguards in place to protect your health information and not use/disclose your health information inappropriately.

Limit the use and disclosure of your health information to what is necessary.

Establish procedures to restrict access to your health data.

Train your employees on how to protect your health data.

Know Your Rights HIPAA also gives individuals certain rights over their own health information. Each affected company must respect and comply with these rights. These rights include:

Ask to see/obtain a copy of your health records.

If necessary, have your health data corrected.

Receive notifications on how your health information is being used/shared and get a report detailing when/why your health information was used/shared.

Deciding whether to use your health information for other purposes, such as B. Marketing, can be passed on.