Ensuring the privacy and security of sensitive health information is vital for every business.
The Health Insurance Portability and Accountability Act (HIPAA) plays a critical role in safeguarding patient data, but unfortunately, violations can still occur. Reporting HIPAA violations is essential to maintain trust in the healthcare system and protect patients’ rights.
While you may hesitate to report violations due to fear of retaliation or privacy concerns, the option to do so anonymously exists, offering a secure way to hold wrongdoers accountable.
Should you decide to report HIPAA violations anonymously, the guide below can help you understand the steps involved.
Table of Contents
Why Report HIPAA Violations Anonymously?
The HIPAA Act prevents retaliation from reporting a violation. However, it’s understandable that you may still fear retaliatory acts from submitting a complaint.
Anonymity shields you from potential retaliation by employers or individuals involved in the violation. It also encourages more individuals to come forward with critical information and allows complainants to protect their identity and personal information.
By allowing anonymous reporting, those who violate the HIPAA law will be held accountable for their actions. It also compels organizations to enforce stricter security measures to protect patient data from unauthorized access.
Steps to Anonymously Report HIPAA Violations
Report to the Office for Civil Rights (OCR)
The OCR, under the Department of Health and Human Services (HHS), is the primary enforcement body responsible for overseeing HIPAA compliance and investigating potential violations. According to the Compliancy Group, anonymously reporting to the OCR is a myth, as the OCR requires that you give your name and contact information for an investigation to ensue.
However, in the course of filing a complaint, you may deny OCR consent to reveal your identity and any identifying information. The OCR will keep your identity confidential from the covered entity or business associate once the investigation starts. Even so, the OCR emphasizes that “this denial of consent is likely to impede the investigation of my complaint and may result in closure of the investigation.”
If you still want to continue to report anonymously to the OCR despite this warning, you may choose the following channels mentioned on the HHS website:
Online Complaint Portal
The OCR Complaint Portal Assistant allows individuals to submit complaints confidentially through the following steps:
- Fill in the complainant information complaint details, additional information, and signature.
- In the consent section, click “consent denied.” This prevents the OCR from revealing the complainant’s identity or any identifying information.
- Review your details and submit.
Written complaints can be sent to the OCR’s mailing address without revealing your identity. Print the complaint and consent forms, fill them out, and send them to:
Centralized Case Management Operations
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Room 509F HHH Bldg.
Washington, D.C. 20201
Report to the Centers for Medicare & Medicaid Services (CMS)
CMS, under the U.S. Department of Health and Human Services (HHS), also plays a vital role in enforcing HIPAA regulations.
Individuals can report the violation anonymously to CMS using the ASETT website if it involves Medicare or Medicaid. Registration is not mandatory, but doing so enables complainants to save drafts and track complaints.
For anonymous reporting, follow these steps:
- Choose File a HIPAA Complaint
- Choose the Complaint Type
- Under Complainant Details, click “Yes” after the question, “Do you want to remain anonymous during this process?”
Note that the disclaimer mentions, “If you select yes, CMS will not share your information with the Filed Against Entity (FAE) during the investigation process. However, information provided in this complaint is subject to rules and policies under the Freedom of Information Act (FOIA).”
Report to the State Attorney General
In some cases, you may prefer to report HIPAA violations to your State Attorney General’s office. Many states have their own laws and mechanisms for reporting healthcare-related violations. Check your state’s official website or contact the Attorney General’s office if they allow anonymous reporting.
For instance, the New York Attorney General Technology and Information Privacy Complaints webpage allows you to withhold contact information when filing a report.
Report to the Federal Trade Commission (FTC)
The FTC Privacy and Security Enforcement webpage shows that the agency is actively involved in enforcing consumer privacy and security rights, including HIPAA violations.
While the FTC Sample Complaint Letter webpage says that they don’t resolve individual complaints, your report may help them “detect patterns of wrongdoing and may lead to an investigation.” To ask about anonymously reporting HIPAA violations, contact the Office of the Inspector General (OIG).
Knowing how to report HIPAA violations anonymously can help protect you against fears and worries that a covered entity or business associate will retaliate. The various channels provided by OCR, CMS, State Attorney Generals, and the FTC enable individuals to protect their identities while contributing to investigations and promoting compliance. While anonymous reporting may impede an investigation by the OCR, you may also explore other channels to file your complaint.
