With more than 826,000 registered and licenses physicians operating in the United States, it's impossible for Office for Civil Rights to audit each and every practice. As a result, many Health Insurance Portability and Accountability Act (HIPAA) violations go unnoticed. But the OCR encourages patients and workers alike to step forward when a violation occurs, as this allows privacy discrepancies to be fixed.

So, how do you know if a HIPAA violation has occurred? Well first you must familiarize yourself with the nuances of HIPAA and what it entitles. You can read through some of our previous blog posts here at AllPointCompliance to gain a better understanding of HIPAA, but it basically consists of several Rules, including the Privacy, Security, and Breach Notification Rule. The Privacy Rule addresses patient privacy in regards to Protected Health Information (PHI), whereas the Security Rule focuses strictly on Electronic Protected Health Information (EPHI).

Can I Be Retaliated Against for Filing a HIPAA Complaint?

Absolutely not! Under whistleblower protection laws, you are protected against any retaliatory actions for filing a HIPAA complaint. The Department of Health and Human Services even published the following on its website: “Under HIPAA an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.“

What About OSHA?

The Occupational Safety and Health Administration (OSHA) is classified as a public healthy authority and a “health oversight” agency under HIPAA. This means OSHA can use Protected Health Information without authorization when investigating whistleblower complaints. In its report, however, OSHA said that it will not disclose PHI without reasonable belief that such disclosure is necessary to prevent a threat to health and safety.

Here are the requirements for filing an official HIPAA complaint:

  • Complaint must name the covered entity or business associate whom violated HIPAA.
  • It must also describe the act in which the violation occurred.
  • HIPAA complaints must be filed within 180 days of discovery of the violation (note: the OCR may extend this deadline if you can show good cause.
  • Complaints must be filed in writing using the OCR's Complaint Portal, or by paper mail, fax, or e-mail.


Image credit: Kate Ter Haar via Flickr Creative Commons.

Subscribe to our mailing list

* indicates required