Guide to Reporting HIPAA Violations
HIPAA, the Health Insurance Portability and Accountability Act, provides a wide range of protections for your personal health information.
Do you know how to report a HIPAA violation?
This guide will detail what you need to know if you believe your rights under HIPAA have been violated. This includes answers to some of the most common questions on the subject, including:
- What are HIPAA violations?
- What are the consequences of violating HIPAA?
- How long do you have to report a HIPAA violation?
- Can you sue for a HIPAA violation?
HIPAA contains serious regulations that can have impactful penalties if this federal legislation has been violated. Similar to other types of wrongdoing that are protected by federal or state law, there is a defined process for reporting HIPAA violations.
In certain types of situations, it might be important to utilize an attorney to defend your rights.
What is a HIPAA violation in the workplace?
When many people think about HIPAA violations, it is typically centered around healthcare professionals and medical offices and institutions. But HIPAA violations can occur in multiple types of industries and workplaces.
It occurs when an individual’s protected health information is shared or accessed without that person’s proper consent. This could be inadvertent or intentional. Either way, it would be against the law.
HIPAA is in place not only because of basic rights to privacy for personal health information but also because it can lead to negative impacts on someone’s life. For example, someone with a preexisting condition would not want an insurance company to find out about that information through a HIPAA violation.
HIPAA violations can cause negative personal, career, and financial impacts. Examples include:
Getting hit with a health insurance rate increase or being dropped from your health insurance.
Becoming very emotionally distressed due to a personal medical information breach.
Having your vital information stolen, such as your birthdate, address, and social security number, leading to identity theft and financial problems.
Being fired from your job and/or being discriminated against due to a medical condition or disability.
These examples are representative but not fully comprehensive. There are multiple ways that a HIPAA violation can negatively impact someone’s life. Some of these impacts can last for a long time and cause many difficult complications. This is why it is crucial to understand how to report a HIPAA violation.
Before you begin the process of reporting a HIPAA violation, you need to know the different types of actions that would represent one.
What are examples of HIPAA violations?
Infringements of an individual’s rights under HIPAA occur when there is a failure to comply with any aspects of the standards and provisions of the Act. The Americans with Disabilities Act also requires employers to keep their employees’ medical records confidential.
Potential violations in the workplace may include:
- A supervisor or HR team member shares personal information about a medical condition or disability to an employee who was unauthorized or did not need to know that information in order to provide a workplace accommodation or for safety reasons.
- A healthcare provider or representative discloses a medical condition to your employer unrelated to the process of getting accommodation in the workplace due to a disability.
- Two supervisors talk to each other in a breakroom about an employee’s medical condition, which gets overheard by one or more people.
- A company fails to implement administrative, technical, or physical measures to safeguard the confidentiality of an employee’s personal health information. This may include such safeguards as locked filing cabinets, computer firewalls, encryption, or password-protected computer systems.
- An untrained or undertrained staff member in the human resources department inadvertently allows access to or discloses the personal health information of an employee.
These are certain examples of situations that may amount to a HIPAA or ADA violation. Other types of offenses can occur that would breach the rules and regulations of the legislation.
What are the consequences of violating HIPAA?
HIPAA’s standards and provisions are strict. When composing the legislation, the U.S. Congress included severe consequences for violations of the Act. This includes options for both civil and criminal penalties. Civil consequences are typically large fines and can go up to $25,000 and potentially other monetary damages. In the most severe types of HIPAA violations, criminal charges can result in imprisonment. High fines are also associated with criminal violations of HIPAA.
The authority that handles the fines and charges is the U.S. Department of Justice. These are divided into two categories: reasonable cause and willful neglect.
- Reasonable cause violations range can go up to $50,000 in fines.
- Penalties for violations considered to be willful neglect can go up to $50,000 in fines and can result in criminal charges.
- Consequences for violations that involve fraud can include up to $100,000 in fines and up to five years in prison.
The greater the offense, the higher the consequences. In the event that someone obtains your personal health information and there is an intent to sell, transfer, or use it for themselves for commercial advantage, personal gain, or malicious harm, this can result in up to $250,000 in fines and up to ten years in prison.
Where to report HIPAA violations
When figuring out how to report a HIPAA violation, another question that employees ask is,
“Where do I go?”
If your rights under the rules and regulations of HIPAA have been violated, a report needs to be made directly to the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS). This can be performed online through OCR’s portal or via mail, fax, or email. According to the OCR, the complaint must:
- Name the covered entity or business associate involved and describe the acts or omissions you believed violated the requirements of the Privacy, Security, or Breach Notification Rules.
- Information about you, the complainant
- Details of the complaint
- Any additional information that might help OCR when reviewing your complaint
Under HIPAA, you cannot be retaliated against if you file a complaint. This is against the law.
It is also valid when an individual is reporting a HIPAA violation for someone else. However, more complex HIPAA violations should be brought to a lawyer first to evaluate the options for taking action. It is not uncommon for an employer to violate the rights of multiple employees. It may be a practice they are doing across the board in multiple departments.
How long do you have to report a HIPAA violation?
It is important not to delay reporting a HIPAA violation after it has occurred. Similar to other federal agencies, the Office for Civil Rights at HHS has specific policies regarding the time frames for filing a complaint. If you wait too late, there will not be a path to a resolution of the offense.
If someone’s rights have been violated under HIPAA, a report must be filed within 180 days of the violation. Time can often go by quickly, so it is necessary to be mindful of the deadline. It can take some time to complete the report with the required information in sufficient detail for the OCR.
However, the OCR can extend the 180-day timeline if someone shows “good cause.” Timeliness is important, but if there are extenuating circumstances that would amount to “good cause,” do not give up. You may still have an avenue to pursue justice for a HIPAA violation.
Once a health information privacy report is filed with the OCR, they will carefully review the complaint. After the investigation is complete, if it is found that the rules or regulations of HIPAA may have been violated, they will issue a letter that will describe the resolution to the complaint. This will typically include that the business must voluntarily comply with the HIPAA rules, take corrective action, and agree to a settlement.
The crucial takeaway here is to not delay reporting a HIPAA violation.
Can you sue for a HIPAA violation?
Workers have substantial protections under the law and deserve justice when their rights have been violated. However, each area of workers’ rights has its own paths to a resolution when laws have been broken.
Neither Federal nor Florida Statutes allow people to sue anyone directly for HIPAA violations. But — there are still many other ways that legal action can be taken due to a HIPAA violation. You may have more than one option to pursue, depending on the specific circumstances.
Here are legal actions that might be able to be taken if your rights have been violated under HIPAA:
- Filing a negligence lawsuit
- Filing a lawsuit for theft of unsecured personal data or data breach
- Filing a lawsuit for theft of data (it must be shown that the data was used – and it caused you personal harm)
- Filing a lawsuit for breach of contract
- Filing a lawsuit for breach of fiduciary duty
- Filing a lawsuit for medical malpractice if the violation affected your healthcare
- Filing a lawsuit against an insurance company for privacy violations
- Filing a complaint with the Office for Civil Rights
As you can see, even though you cannot sue someone directly for a HIPAA violation, other alternatives might be appropriate for your situation. Some may be more appropriate than others, depending on your situation.
These types of cases revolve around giving consent or authorization. Consent is usually verbal, and authorization is typically written. For example, you must authorize the sharing of medical information between your healthcare provider and your employer.
The details of the HIPAA violation circumstances will be integral to determining which legal action or actions might be appropriate for your situation.
When to Consult an Attorney
If your HIPAA rights have been violated, take action, and consult an attorney. These types of violations can negatively affect your career and financial stability and impact you personally as well. State or federal laws may have been broken during the HIPAA violation.
An employee rights attorney can help to determine if any offenses have occurred that would break state or federal law. It is important to understand how to report a HIPAA violation, but it is equally critical to find out if you have a legal avenue for any negative impacts that have occurred in your life because of the breach.
Wenzel Fenton Cabassa, P.A., can help people who feel that their employers violated HIPAA regulations. When employees want workplace justice, they call us. We have a strong track record of helping employees across Florida get justice when their rights have been violated under federal or state law.
When you meet with a lawyer to discuss your situation, there is no risk or no obligation. We take the time to listen, answer your questions, and review the details of your situation to help determine if you have a case.
Contact us today or call 813-212-3097 to request a free consultation. Your statute of limitations may be running out.