What Happens if Your Practice is Reported for a HIPAA Violation

How Does a Patient Report a HIPAA Violation?

Patients can report providers at any time by going to: https://ocrportal.hhs.gov/ocr/cp/complaint_frontpage.jsf

When the Office for Civil Rights (OCR) receives a complaint, they first check if they have the authority to investigate it. They can act on complaints if a covered entity or business associate may have broken HIPAA rules, and if the complaint is filed within 180 days of the issue. From there, OCR may offer guidance, send the complaint to another agency, investigate further, or close it without action.

Do You Know if You Get Reported for a HIPAA Violation?

When an investigation is complete, OCR sends a letter to the person who filed the complaint letting them know the case is closed. This letter may explain the steps OCR took or the actions the provider took in response. In some cases, OCR may work out a written agreement with the provider that includes corrective steps to fix any compliance issues found during the investigation.

Who Can Be Reported for a HIPAA Violation?

The following are examples of covered entities that must follow federal civil rights laws:

• State and local government agencies that administer health care
• State and local government income assistance and human services agencies
• Hospitals
• Medicaid and Medicare providers
• Physicians and other health care professionals in private practice with patients assisted by Medicaid
• Family health centers
• Community mental health centers
• Alcohol and drug treatment centers
• Nursing homes
• Foster care homes
• Public and private adoption and foster care agencies
• Day care centers
• Senior citizen centers
• Senior and infant nutrition programs
• Any entity established under the Affordable Care Act, including state and federal health insurance exchanges
• Health insurance plans or companies
• HMOs
• Pharmacies
• Homeless shelters
• Health researchers

Source:https://ocrportal.hhs.gov/ocr/cp/complaint_frontpage.jsf?lang=en

Can You Go to Prison for a HIPAA Violation?

Yes. In serious cases, HIPAA violations can lead to criminal charges and even prison time.

In 2010, a former UCLA Healthcare System employee named Huping Zhou was sentenced to four months in federal prison for illegally accessing patient medical records. Zhou had worked as a researcher at UCLA School of Medicine. After receiving notice that he was being dismissed for job performance reasons, he began accessing confidential patient records—including those of his supervisor, coworkers, and various celebrities—without any medical or legal reason.

Over a three-week period, Zhou accessed the patient records system 323 times. He continued to view records even after he was formally terminated. Zhou pleaded guilty to four misdemeanor counts of violating HIPAA's privacy provisions. He became the first person in the country to be convicted and sent to prison for misdemeanor HIPAA offenses simply for accessing records without authorization.

There was no evidence that Zhou tried to sell or misuse the information he accessed. Still, the court sentenced him to prison for his lack of respect for patient privacy.

Source:https://www.justice.gov/archive/usao/cac/Pressroom/pr2010/079.html