How to Report a HIPAA Violation Anonymously
There are ways you can report a HIPAA violation anonymously but, due to the risk your anonymous report may be dismissed by HHS’ Office for Civil Rights, it is a better option to include your name and contact details and request they are not revealed to the organization you are complaining about. Alternatively, you may be able to report a HIPAA violation anonymously to a different agency, or directly to the organization at which the violation occurred.
When you file a health information privacy complaint or a security rule violation complaint via the Office for Civil Rights (OCR) Complaints Page, the first page you are asked to complete is your name and contact details. The reason for this is that, if OCR reviews your complaint and decides to investigate it, the agency may want to contact you for further information.
You cannot go beyond the first page of the complaints process without entering any contact details; and, if you complete the form using fictitious contact details, OCR will be unable to contact you to obtain the information it needs to conduct an investigation. Because of these limitations, it is not possible to report a HIPAA violation anonymously via the OCR Complaints Portal, and not worthwhile doing it using fictitious contact details.
There are Other Ways of Filing a Complaint with OCR
The Complaints Portal is not the only way to file a complaint with OCR. You can download a complaint form, complete it, and send it to OCR by mail or as an email attachment. The form allows you to deny consent for revealing your name or any identifying information – which is not the same as reporting a HIPAA violation anonymously and “may result in the closure of the investigation”.
You can also write anonymously to OCR, send an email from a disposable temporary email address, or call the agency directly at (800) 368-1019. If you find none of these approaches work because OCR does not want people to report a HIPAA violation anonymously, you could try one of OCR´s Regional Offices to see if one of these is willing to accept an anonymous report.
OCR is Not the Only Agency You Can Complain To
HHS´ Office for Civil Rights is not the only “enforcer” of HIPAA. Violations of the Administrative Requirements can be reported to the Centers for Medicare and Medicaid Services (CMS), violations of the Breach Notification Rule by organizations not covered by HIPAA can be reported to the Federal Trade Commission, and criminal violations can be reported to the Department of Justice.
All these agencies have complaints processes similar to OCR inasmuch as it is difficult to report a HIPAA violation anonymously. This is also usually the case with Offices of State Attorneys General. However, if you have a strong case for an investigation and explain why you are unwilling to reveal your identity, you may be able to report a HIPAA violation anonymously to a state agency.
How Else to Report a HIPAA Violation Anonymously
State and federal agencies are not the only bodies you can approach with a health information privacy complaint or a security rule violation complaint. You can also directly approach the organization responsible for the HIPAA violation. This gives you more options to report a HIPAA violation anonymously and a greater likelihood that the violation you are reporting is addressed.
It is important to note that, unless the complaint involves a data breach subsequently reported to OCR by the organization, there will be no enforcement action taken by any state or federal agency. However, while there will be no record of an organization “getting into trouble” for failing to comply with HIPAA, your anonymous report may prevent somebody else from experiencing an adverse event attributable to a privacy or security violation.
How to Report a HIPAA Violation Anonymously FAQs
Why doesn´t OCR want people to report a HIPAA violation anonymously?
Not only does it make it very difficult to investigate a privacy complaint without knowing who the complaint relates to, but malicious individuals could make unsubstantiated complaints that waste the time of both OCR investigators and the organization being investigated. By insisting on verifiable contact details, OCR can prevent malicious and unsubstantiated complaints – even though this requirement could dissuade some individuals from making justifiable complaints.
If I have to give my name, what protection do I have against retaliation?
§160.316 of the HIPAA Administrative Simplification Regulations prohibits covered entities and business associates from threatening, intimidating, coercing, harassing, discriminating against, or taking any retaliatory action against an individual who reports a HIPAA violation. This not only applies to patients and health plan members but to any individual – including members of a covered entity´s or business associate´s workforce.
Can I report a HIPAA violation anonymously if the violation affects someone else?
Even if you are reporting a HIPAA violation on behalf of another person, OCR, CMS, the Federal Trade Commission, and the Department of Justice will require your verifiable contact details to ensure the report is not malicious and unsubstantiated. You may be able to report a HIPAA violation anonymously to a State Attorney General´s office, but the best way to make a report anonymously is to approach the noncompliant organization directly.
How do I report a criminal violation of HIPAA anonymously to the Department of Justice?
Unlike some crime “tip lines”, the Department of Justice does not accept anonymous reports. The only route to reporting a criminal violation anonymously is to contact the noncompliant organization´s Privacy Officer who should investigate your complaint (subject to you having a strong case). If the Privacy Officer believes a criminal violation has occurred, they will report it to OCR, who will refer it to the Department of Justice for investigation.
What should I do if I complain anonymously to an organization, but nothing happens?
It may be difficult to know if your complaint to an organization has been ignored because the organization has no way of contacting you to explain what it is doing to correct the violation – which may take some time if it involves the development of new policies and additional workforce training. However, if you are certain your complaint has been ignored and it is still within 180 days of the violation being identified, you can escalate your complaint to OCR – albeit not anonymously.
Are HIPAA complaints anonymous?
Although you can request that your name be withheld when you make a complaint to OCR, complaints made anonymously will not be investigated. This not only applies to complaints made to OCR, but also to State Attorneys General, county HHS offices, and – where applicable – CMS, and the FTC. The option exists to phone an agency and make a complaint anonymously, but without your name, it is unlikely any further action will be taken.
