The ways new technologies can be used to scrape and acquire information have become a major threat to people’s privacy and confidentiality. Nowadays, it’s become easy to hack into databases, share hacked information online, and profit from it. And it’s stressful to think that your information, particularly your medical data, can be stolen without you knowing and having a say about it.
Thankfully, the law provides avenues for people to file a violation report if they believe that their records or personal information have been accessed without their consent. The federal government enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to strengthen the safeguards that protect medical records, reports, and patient information. As such, health facilities, clinics, and other entities are always responsible to protect patients’ privacy and sensitive information.
In this article, you’ll further discover what HIPAA is, who is responsible for its enforcement, and how to file a complaint in case of information leaks.
What Is HIPAA?
The Health Insurance Portability and Accountability Act of 1996, or simply, the HIPAA sets the standards of how health care entities should enforce to safeguard protected health information (PHI) of their patients, which includes their names, addresses, contact information, personal identification numbers, photos, and signatures. Put simply, PHI is any information used to identify a patient.
It’s important to note that the law has had undergone various revisions since the government enacted and started enforcing it. These revisions are necessary for it to keep up with the new and recent ways PHI can be illegally accessed and stolen.
Which Entities Are Covered by HIPAA?
Any organization may need to obtain your medical records in one way or another for various reasons. Unfortunately, the HIPAA doesn’t cover all entities. An organization that isn’t under the watch of HIPAA may and can expose your medical information without suffering from any repercussions.
For example, hackers may use optical character recognition technology that extracts text from an image containing your medical records in your social media account. Since owners of social media websites are not bound to follow the confidentiality rules in HIPAA, you can’t file a violation report against it.
Know that if you want to file a violation report, you need to communicate with the Office for Civil Rights (OCR). It’s the government body that investigates complaints related to HIPAA violations. However, for them to start investigating, you need to make sure that the HIPAA must cover the entity or organization in your complaint.
1. Covered Entities
The HIPAA covers and safeguards all the details for every doctor’s visit or hospital admission. Besides your personal information, no one should have access to your diagnosis, prognosis, and treatments, including medical notes. If this happens, you can launch a violation report against any of the following covered entities:
- Health care providers (doctors, dentists, hospitals, nursing homes, pharmacies, etc.)
- Health insurance companies
- Private health insurance plans
- Government agencies such as Medicare or Medicaid
As a constantly evolving legal instrument, all covered entities should make sure their staff attends HIPAA training to keep them updated on the latest rulings and modifications.
2. Business Associates
This refers to third-party entities hired by covered organizations or another business associate, who, while performing their tasks, will have access to medical information.
- Information technology companies
- Practice management companies
- Physical and cloud storage providers
- Email encryption firms
Legally speaking, the law doesn’t require these entities to completely comply with everything in HIPAA as some of the regulations still apply to them.
3. Non-Covered Entities
If non-covered organizations allegedly committed privacy breaches, the Office for Civil Rights (OCR) will not launch an investigation. These include employers, life insurance firms, companies following up workers’ compensation, most state agencies, and schools.
How to Report a HIPAA Violation
The first step in finding out how to file a complaint is to know the process and the channels that you can use.
The Office for Civil Rights, which is under the United States Health and Human Services (HHS), is the agency in charge of tackling alleged HIPAA breaches. The agency manages the OCR complaint portal on its website, and you can file a report directly through this online channel.
Another option is to download, fill out, and return a form from the OCR website. After completing the requirements, you can send them back to the OCR through mail, fax, and email.
Before filing your violation report, consider the following points as part of the preparation process:
- Store all documentation, whether in paper or electronic form and make your copy.
- You should report A HIPAA violation within six months following the date of discovery.
- The OCR can’t investigate Privacy Rule complaints that occurred before April 14, 2003, since the OCR didn’t require the rule before.
- The OCR can’t investigate complaints not bearing a person’s full name and contact information. However, you can request the OCR to keep you anonymous in the consent form. Note that if you’re going to be a whistleblower for a large case, the OCR can protect you from reprisals.
Keep in mind that the OCR will only act on cases once a formal complaint is filed.
HIPAA Violation Reporting Options
You should file your complaint online, but you also have other options. Those methods are discussed below.
1. Internal Reporting
Upon the discovery of a potential HIPAA breach, healthcare workers should report the incident to the supervisor. The supervisor will then have to relay the alleged violation to the facility’s privacy officer or the point person for HIPAA compliance.
The organization should then launch an internal investigation to determine whether it needs to be reported as set forth by the HIPAA Breach Notification Rule.
The law further classifies violations into these categories:
- Minor Breaches: These refer to data leaks that impact less than 500 patients in a specific area, for instance, a state, county, or city. HIPAA suggests that in cases of minor violations, the patients involved must be informed about the incident. Additionally, all incidents involving these types of breaches must be reported annually to the OCR.
- Meaningful Breaches: Violations that affect more than 500 patients in a single jurisdiction are considered meaningful breaches. Just the same, affected persons should be notified of the incident. In the same manner, the covered entity should report to the HHS and not the OCR, within two months following the breach. In major and more widespread leaks, law enforcement and media announcements may be needed.
Every data breach authorizes the OCR to investigate a covered entity’s practice in terms of documenting, tracking, and reporting a breach. If a firm has no robust safeguards in place, it may face sanctions and penalties.
2. Downloading the HIPAA Complaint Form Package
On the HIPAA website, you can look for the Health Information Privacy Complaint Form Package PDF file. You can download, print, and fill it out to file your complaint. In it, you’ll need to indicate or write a narrative about the violation. After that, you’ll need to fill out a consent form authorizing the OCR to access your personal information. The document set includes an explanation of the stages of the investigation.
These are the main sections of the HIPAA Complaint Form Package and some tips on how to fill them out properly:
- Personal Information: Write down your complete information.
- Description Of the Breach/Complaint: Make a thorough and detailed account of the incident. Ensure that you have the complete information, including the name and address of the covered entity, where the breach took place. You’ll need to indicate the date and the specific acts that caused the violation. Be prepared to write down how the said incident impacted you.
- Optional Information: Cite the circumstances that may impact your communication with the OCR. If you fear that you may become or are already a victim, put it on record through this page.
- Consent Forms: To enable the OCR to proceed with the investigation, you must allow them to access your personal information. If you don’t fill this in, the OCR will not push through with the fact-finding mission.
- Additional Disclosure: This contains information on how the complaint will move forward after your submission.
You can either submit the document package via email, mail, or fax.
3. File a HIPAA Complaint Through The Portal
The OCR complaint portal is also available for individuals who want to file a HIPAA violation. This, however, requires you to register and supply a username and password before filing an online complaint.
Like the complaint document package, you’d need to supply your personal and contact details. The digital form also requires the details of the violation. Be as precise as you could in filling out this section.
Once done, you’ll be prompted to submit and print the form. It’s highly recommended that you print a copy and keep it for future reference.
4. Writing A Complaint Letter to the OCR
You can also write a letter addressed directly to the OCR regarding a violation. You need to supply details about the incident:
- The date when the incident was discovered
- The covered entity’s name, address, and contact details
- The events that took place leading to the HIPAA violation
To make sure that the investigation moves forward, include your full personal and contact details, too. Sign the letter to make it more official. Once done, you can send it via email or mail it, or submit it personally to the OCR office.
The Bottom Line
Healthcare facilities and practitioners, as well as other entities in the industry, must uphold your right to privacy. As such, they should avoid information breaches at all costs.
If you think you’ve become an unwilling victim of a confidentiality breach, whether deliberately or by accident, follow the steps underlined in this article to protect your rights.