The approximately 6,100 hospitals in the United States employ more than 5 million people. Some healthcare networks consist of over 100 hospitals and 10,000 workers or more. At this scale, HIPAA violations can seem like a question of when, not if. How long do organizations have to report HIPAA violations, and when is reporting required?
Is It Mandatory To Report HIPAA Violations?
Reporting a HIPAA violation is mandatory when the situation exposes a patient’s protected health information. For example, if a successful phishing attack allowed cybercriminals to gain access to thousands of electronic health records, the healthcare provider would have to report the data breach as soon as possible. That said, even though all violations of the HIPAA Security and Privacy Rules are serious, organizations don’t need to report every minor compliance failure.
Always Mandatory: Data Breaches
The HIPAA Breach Notification Rule requires covered entities and business associates to report data breaches “without unreasonable delay.” This rule applies to unsecured PHI, such as medical records, prescriptions, contact information, and other patient details that aren’t protected by encryption or anonymization.
Under HIPAA regulations in 45 C.F.R. § 164.400, after a PHI data breach, organizations must notify every patient who had their information exposed or used improperly. The notification should tell affected patients what happened, what information was accessed or exposed, and how your organization is dealing with the situation.
Sometimes Required: Accidental Violations
What if the HIPAA violation involved a privacy or security failure that isn’t likely to compromise patient records, such as sending encrypted files to a coworker? Depending on the circumstances, organizations may not need to follow the data breach disclosure process. But the employee or department responsible must report the failure to the company’s HIPAA compliance team immediately.
Often Connected: State Regulations and Other Laws
In addition to HIPAA reporting requirements, organizations may have to comply with state regulations after data breaches. Florida statutes require organizations to disclose data breaches within 30 days. When the ePHI involves EU residents, GDPR only gives companies 72 hours to provide the initial notification to a Data Protection Authority.
How Long Do You Have To Report a HIPAA Violation?
The time limit for reporting a PHI data breach is 60 days. The clock starts running from the time the covered entity learns about the breach. This two-month window gives covered entities time to discover who the breach impacted and how large the exposure was.
Business Associates
HIPAA applies to business associates, too. When a third-party provider experiences a breach of PHI, the vendor must notify covered entities within 60 days. Both parties can agree on who should alert patients, but the ultimate responsibility under HIPAA falls to the covered entity.
HIPAA Violation Complaints
The time limit for filing a HIPAA privacy or security complaint with the Office of Civil Rights is usually six months. There can be extensions for “good cause,” such as discovering that an employer covered up a breach.
What Is the Timeline for HIPAA Reporting?
Whenever any HIPAA violation happens — breach or no breach — organizations must follow some standard steps.
1. Internal Reporting
First, the employee who noticed or was responsible for the HIPAA violation should report the issue immediately, either to a supervisor or directly to the HIPAA Privacy or Security Officer.
2. Data Breach Risk Assessment
The HIPAA officer in charge of privacy or security must conduct a risk assessment related to the suspected HIPAA violation. The officer looks at how likely it is for the disclosure to negatively impact the patient’s privacy or security. Was the information sent accidentally to another doctor who isn’t likely to ever treat the person anyway?
3. Corrective Actions
Regardless of the circumstances, organizations must take corrective actions to avoid similar HIPAA violations in the future. This can include reminding employees of HIPAA rules and deleting any unauthorized copies of the data.
4. Patient Notifications
If the HIPAA compliance team determines that a breach of PHI has happened, they must notify all affected patients as soon as possible. You must store proof of these notifications along with other HIPAA records.
5. Notification to the Secretary of HHS
It’s mandatory to report breaches of ePHI to the Secretary of Health and Human Services at the OCR portal. When breaches affect fewer than 500 individuals, covered entities can hold off until the end of the calendar year to notify all HIPAA violations. Each breach must have its own report, however.
6. Potential Media Release
HIPAA requires covered entities to announce a data breach to the media when it affects more than 500 residents of the state. The time limit for press releases is 60 days.
Was It Really a HIPAA Violation?
Not all sharing of PHI goes against HIPAA rules. Healthcare providers can use PHI to provide treatment, handle claims, and bill patients, for example. This TPO exception includes sharing medical records when consulting with other physicians. You can also share PHI with patient consent.
Similarly, not all accidental HIPAA violations are considered data breaches. When a worker was acting in good faith and is normally authorized to access patient data, the accidental use probably isn’t a breach.
For example, nurses who accidentally see charts for patients not under their care aren’t guilty of a data breach. Deliberately looking for prohibited files or saving a copy of the records would be, however.
Who Can Report HIPAA Violations?
Patients can file a HIPAA complaint if they suspect improper use or sharing of their records. Employees can also file HIPAA complaints, such as whistleblowers.
For this reason, some organizations choose to play it safe and report even relatively minor HIPAA violations. Nothing prevents you from voluntarily reporting, and this action can avoid punishments for a violation if the OCR decides to investigate.
How Can Your Organization Comply With HIPAA Reporting Requirements?
In addition to creating detailed policies for reporting HIPAA violations, your organization must monitor compliance. You have to make sure all employees have the necessary training, receive appropriate disciplinary actions after violations, and follow through on corrective measures.
Put simply, you need a HIPAA compliance solution like Compyl. Ensure your organization reports HIPAA violations on time. Manage the entire process from a centralized dashboard. Request a demo today and see how effortless HIPAA compliance can be.
