HIPAA violation reporting

HIPAA violation reporting involves disclosing violations of the Health Insurance Portability and Accountability Act (HIPAA) to concerned parties.

Reporting a breach of unsecured PHI is a legal requirement, and organizations must inform regulators within 60 days of a breach. Failure to report within regulatory timescales can result in higher penalties, making streamlined HIPAA reporting policies critically important.

Reporting HIPAA violations involves both employees and organizations.

Organizations must submit required notices and provide a point of contact; HIPAA does not require filing them specifically through the privacy officer.

Companies assess internal reports and identify regulatory breaches. If a breach has occurred, the organization first informs affected individuals. The HIPAA officer then submits a formal report to the HHS Office for Civil Rights (OCR). In larger breaches, notifying the media may also be necessary.

Employees require training to identify potential violations and report them internally to compliance teams. They must be free to report breaches without fear of penalty, and are also permitted to submit reports directly to the OCR if needed.

When do you need to report a HIPAA violation?

Organizations must report breaches of unsecured PHI when they find that employees or business associates have violated the HIPAA privacy or security rules. Common reasons for HIPAA violation reporting include:

  • Unauthorized disclosure of protected health information (PHI): Organizations or employees share PHI without the patient's consent, putting their privacy at risk. A common example is sending the wrong patient data. Even if accidental, assess whether it is a breach; if so, follow breach-notification rules. If a risk assessment shows a low probability of compromise or an exception applies, notification may not be required.
  • Excessive sharing of patient information: Companies fail to follow HIPAA's “minimum necessary” guidelines, sharing more data than is needed for medical purposes.
  • Loss or theft of devices holding PHI: Companies may violate HIPAA by failing to secure physical devices or implement security measures to prevent access by unauthorized individuals.
  • Insufficient technical safeguards: Companies fail to implement reasonable technical measures to secure patient data and prevent data breaches. For example, encrypting data containers, using VPNs for remote connections, or using robust access controls to sensitive information.
  • Unsafe disposal of patient data: Companies fail to remove PHI from paper records or discarded electronic devices.
  • Failure to train employees: Inadequate training can lead to data breaches and exposure of PHI.

These examples often require HIPAA violation reporting. Notify HHS within 60 days of discovery if ≥500 individuals are affected; for <500, report to HHS within 60 days after the end of the calendar year. However, there may be exceptions.

Notification is not required if a documented four-factor risk assessment shows a low probability that PHI was compromised, or if a regulatory exception applies. For instance employees may share PHI between themselves accidentally, while thieves may obtain encrypted devices but lack decryption keys.

Despite these qualifications, reporting HIPAA violations is essential in many circumstances. Knowing how to submit a report is vital.

How to report a HIPAA violation?

Organizations and employees have three main options when reporting HIPAA violations: internal reporting, submitting formal reports to the OCR, or anonymous reporting.

How to report a HIPAA violation

Internal reporting

Organizations that handle PHI require a streamlined internal reporting process to detect potential violations and take prompt mitigation action. A specialist HIPAA privacy officer should manage the internal reporting system and assess each report to determine whether further notification is needed.

Employees need the knowledge to identify violations of HIPAA regulations and the confidence to report issues to managers or compliance professionals. During the assessment phase, compliance teams must act quickly to secure PHI and prevent further violations. The organization should also create a remediation plan to restore compliance and share this with OCR when they submit a formal notification.

HIPAA violation reporting to OCR

Reporting to the HHS Office for Civil Rights is necessary when an impermissible disclosure constitutes a breach of unsecured PHI, unless a risk assessment shows a low probability of compromise.

The easiest way to submit a report is via the OCR's Breach Reporting Portal. OCR staff verify they have received the report, and the investigation process begins.

OCR will assess the nature and scope of the violation to discover how many people are affected. Investigators seek to prove that the breach occurred and determine whether it was accidental or deliberate. They also check whether the organization reported the incident promptly and notified concerned parties within HIPAA timescales.

For breaches affecting ≥500 individuals, notify HHS without unreasonable delay and no later than 60 days after discovery; for <500, report to HHS within 60 days after the end of the calendar year. Individuals must file OCR complaints within 180 days.

Anonymous reporting

Sometimes, victims or employees may wish to remain anonymous during the HIPAA violation reporting process. You may request confidentiality, but OCR does not investigate complaints filed without your name and contact information.

HIPAA violation reporting requirements

HIPAA violation reporting is a systematic process with several core requirements. Formal OCR reporting must cover the following areas:

  • The starting point is assessing whether a violation is reportable. Remember: not all cases of PHI exposure breach HIPAA regulations, although many do.
  • The covered entity must inform OCR about the nature of the violation. Document how many individuals are affected, the type of PHI, when the violation occurred, and probably consequences.
  • Provide an accurate date of discovery with evidence to show the breach was not known before that date.
  • Include relevant evidence regarding the violation. For example, activity logs, mitigation actions, or statements from key stakeholders.
  • State whether a business associate was involved and include contact details; BAA documentation need not be submitted with the breach report.
  • Include full contact details for the organization's HIPAA compliance officer to expedite the investigation process.

Additionally, the covered entity must notify concerned parties as part of the HIPAA violation reporting process. The covered entity must notify affected individuals and HHS (and, when applicable, the media); an appropriate organizational contact can submit these notices. If a case involves over 500 individuals of a state or jurisdiction, the organization must inform media outlets in the relevant states.

The reporting process also has an internal dimension. Organizations should assess risks relating to the alleged breach, formulate mitigation plans, and align their systems with HIPAA requirements. They must update privacy and security policies, refresh staff training, and consider disciplinary action in cases of individual responsibility.

Why should you never delay HIPAA violation reporting?

Organizations that delay reporting HIPAA breaches risk higher final penalties. Speed is critical when detecting, assessing, and reporting regulatory violations.

Under the HIPAA Breach Notification rule, healthcare organizations have 60 days to inform the HHS Office for Civil Rights (OCR) about breaches affecting over 500 persons. However, HHS guidelines recommend acting without "unreasonable delay" before informing OCR staff. Reporting as quickly as possible is a sensible policy.

Proactive reporting fosters a productive relationship between the covered entity and OCR. In this situation, formal investigations are often not required.

According to HHS statistics, from 2003 to 2024, only 12 percent of violation reports resulted in formal investigations. OCR prefers to resolve violations via voluntary corrective action; ideally, soon after the violation is discovered.

Long delays also allow malicious attackers to extend their activities and inflict greater harm. The HHS Office of Civil Rights takes delays into account when levying penalties. Organizations that knowingly avoid reporting are far more likely to receive maximum fines.

Streamline processes for reporting HIPAA violations

HIPAA regulations protect patient privacy in a hostile digital world. The HIPAA system relies on prompt reporting by covered entities and business associates and penalizes those who fail to detect and report regulatory breaches.

A streamlined HIPAA reporting process strengthens your compliance status and guards against reputational damage. Ensure you train staff, implement reporting channels, and understand when and how to notify OCR.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. The laws, regulations, and penalties discussed are subject to change and may have been updated since the time of publication. We recommend consulting with a qualified legal professional for guidance on your specific compliance needs.

Learn next

Network security
Zero Trust
Secure Access Service Edge (SASE)
Cloud security
Virtual Private Network (VPN)
Identity access management (IAM)
Firewall
Access control
PCI-DSS
Regulatory compliance