How Do You Report an Anonymous HIPAA Violation Complaint?

by

An employee who discovers an HIPAA violation committed by the company management or by a co-employee may want to report the incident to the Department of Health and Human Services’ Office for Civil Rights (OCR).

An employee can report a HIPAA violation to OCR, but investigation will only proceed if the HIPAA violation report was submitted 180 days since the discovery of the supposed HIPAA violation. In some cases, OCR gives an extension for submitting complaints with a ‘good cause.’ This rule on extension does not apply to alleged cases of HIPAA Privacy Rule violation that took place prior to April 14, 2003 and cases of Security Rule violation prior to April 20, 2005.

OCR reviews submitted complaints and investigates potential HIPAA violations, which may result in sanctions and financial fines. Any person who likes to report a potential HIPAA violation can submit complaints through the website of OCR. There is a step-by-step guide for users to make the complaint process easy. One more way to submit a complaint is to fill up a downloadable form that can be sent by mail, email or fax to OCR.

Anonymous HIPAA violation complaints can be submitted since providing a name and contact details are not compulsory. Nevertheless, OCR may not investigate anonymous complaints.

A number of complainants choose to stay anonymous since they fear backlashes from their employer. OCR explains that it is illegal for HIPAA-covered entities to get back on any person who reports a HIPAA violation. If OCR finds out that the employer retaliated, it is likely to result in sanctions.

There is an alternative for people not to submit an anonymous complaint and at the same time protect their privacy. When affixing your signature on the complaint form supplied by OCR, put your name and contact details. Then, at the bottom of the complaint form, tick the option in the consent portion that say deny OCR permission to reveal your identity or information. During the investigation, OCR will not divulge your identity. Submitting a complaint this way is still regarded as anonymous and the case may result in delays or closure without any investigative action taken versus the violator.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]