Reporting Channels for Potential HIPAA Violations

1. Internal Reporting

Many covered entities have a designated HIPAA Privacy Officer. This individual is responsible for handling inquiries and complaints regarding potential HIPAA violations within the organization. Contacting the HIPAA Privacy Officer should be the first step, as they can investigate the issue internally.

2. Department of Health and Human Services (HHS) Office for Civil Rights (OCR)

The OCR is the federal agency responsible for enforcing HIPAA regulations. Individuals can file a complaint with the OCR through various methods:

• Online Complaint Portal: The OCR maintains a user-friendly online portal (https://www.hhs.gov/hipaa/filing-a-complaint/index.html) to electronically submit complaints.
• Mail or Fax: Individuals can download the complaint package from the OCR website (https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/complaints/hipcomplaintform.pdf) and mail or fax it to the designated regional office.
• Email: While not the preferred method, complaints can be submitted via email to OCRComplaint@hhs.gov.

3. State Attorney General

Some states have their own laws and enforcement mechanisms related to patient privacy. Individuals can explore the possibility of filing a complaint with their state Attorney General’s office alongside, or instead of, reporting to the OCR.

The Health Insurance Portability and Accountability Act (HIPAA) safeguards the privacy of individuals’ health information. A crucial aspect of this act is ensuring individuals have avenues to report suspected violations. This article outlines the primary channels for reporting potential HIPAA violations in the United States.