What Up Wednesday - #5 What happens after a HIPAA violation is reported?

What happens after a HIPAA violation is reported?

If you report a HIPAA violation, the OCR will investigate your complaint and take appropriate action if a violation has occurred. The OCR may take the following actions:

• Issue a warning letter to the health care provider

• Fine the health care provider

• Require the health care provider to take corrective action

The OCR carefully reviews all health information privacy and security complaints. Under the law, the OCR only may take action on complaints if:

• Your rights were violated by a covered entity or business associate

• You file your complaint within 180 days of the violation

At the end of the investigation, the OCR issues a letter describing the resolution of the investigation.

If OCR determines that a covered entity or business associate may not have complied with the HIPAA Rules, that entity or business associate must:

• Voluntarily comply with the HIPAA Rules

• Take corrective action

• Agree to a settlement

If the covered entity or business associate does not take satisfactory action to resolve the matter, the OCR may decide to impose civil money penalties (CMPs) on the covered entity. If CMPs are imposed, the covered entity may request a hearing in which an HHS administrative law judge decides if the penalties are supported by the evidence in the case.In the final email of this series, we will discuss how to protect yourself from HIPAA violations.