Report a HIPAA Violation
Call Toll-Free 24 Hours:

How to Report a HIPAA Violation

Legally Reviewed and Edited by: Terry Cochran

NOTE: “This blog is for informational purposes only. Cochran, Kroll, & Associates, P.C does not provide services directly related to HIPAA violations.” 

In recent years there has been a proliferation of health care data breaches and several sensational reports of large HIPAA privacy and security breaches, due to cyberattacks and ransomware attacks; however, most breaches take place due to stolen laptops or computers, the unsecured transmission of health information, ignorance and man’s insatiable need to gossip. A personal injury lawyer at Cochran, Kroll & Associates, P.C. can help you report a violation and manage a claim.

What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act of 1996) is federal legislation that provides data privacy and security provisions for safeguarding medical information. Two components that affect the privacy and security of your PHI (protected health information) are:

  • HIPAA Privacy Rule. Officially known as the Standards for Privacy of Individually Identifiable Health Information, this rule gives you rights over your health information and provides rules as to who can view or receive your information, whether written, electronic or oral.
  • HIPAA Security Rule. The Security Standards for the Protection of Electronic Protected Health Information sets standards for patient data security in electronic form.

Guidelines set in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act, were included in the HIPAA omnibus rule in 2013, which now included business associates of covered entities. In 2016 cloud service providers and other business associates were included.

The HIPAA Breach Notification Rule requires covered entities to notify patients following a data breach. In addition, each state may have additional privacy rules.

Protected Health Information Under HIPAA

The HIPAA Privacy Rule protects all 18 fields of “individually identifiable health information,” called “protected health information” (PHI), held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.

PHI includes:

  • Demographics, e.g., a patient’s name, address, birth date, and Social Security number
  • Past medical history
  • Physical or mental health condition
  • Any care provided to an individual
  • Information concerning the payment for the care provided that identifies the patient
  • Information for which there is a reasonable basis to believe could be used to identify the patient

For de-identified data, however, there are no restrictions to its use or disclosure. This information may be used for research or data analysis or similar.

Covered Entities under HIPAA

Examples of covered entities:

  • Health care providers
  • Health Plans
  • Health care clearinghouses

HIPAA business associates to covered entities, for example

  • Accounting or consulting firms
  • Medical transcriptionists
  • Pharmacy benefits managers
  • Third-party administrators
  • Mobile health application developers
  • Anyone with access to PHI

Most Common HIPAA Violations

HIPAA breaches mostly fall into these categories:

  • Uses and disclosures
  • Access controls
  • Notice of Privacy Practice
  • Minimum Necessary Rule
  • Improper Security Safeguards

Incidents include:

  • Stolen/lost laptop, smartphone or USB device
  • Business associate breaches
  • EHR breach (access issues, looking at patients’ records you are not actively treating)
  • Office break-ins
  • Sending PHI to the wrong patient/contact, proper consent lacking
  • Discussing PHI outside of the office
  • Social media posts
  • Malware incident, hacking or ransomware attack

Your healthcare provider must provide you with information on how they protect your PHI and must notify you if there was any breach.

HIPAA Violations

How to Report a Breach

If you have been witness to a violation or received information not meant for you, or heard about stolen electronics going unreported, or any of the breaches mentioned, you may file a complaint. You need to be sure that it is a covered entity or a business associate that was compromised, and you can file the complaint on behalf of yourself, for someone else or your organization.

You can fill in an electronic form at the OCR website; however, you need a lot of detail to be able to do so. It is best to contact a medical lawyer at our law firm to assist you with the details. You have to file the complaint within 180 days, and proof of the breach will help the process move much faster.

“This blog is for informational purposes only. Cochran, Kroll, & Associates, P.C does not provide services directly related to HIPAA violations.” 

Disclaimer : The information provided is general and not for legal advice. The blogs are not intended to provide legal counsel and no attorney-client relationship is created nor intended.

Nikole has a special interest in medical-legal issues and holds post-basic degrees in medical law and business. She has developed quality improvement and safety plans for many practices and facilities to prevent medical-legal issues and teaches several courses on data protection and privacy, legal, medical examinations and documentation, and professional ethics. She has been writing professionally on legal, business, ethics, patient advocacy, research and medico-legal issues in articles, white papers, business plans, and training courses for over thirty-five years.



Testimonial Image


There is no obligation for a case evaluation & no fee is charged unless a recovery is made.
  • This field is for validation purposes and should be left unchanged.

Your privacy is important to us. Cochran, Kroll & Associates, P.C. does not share, sell, rent, or trade personally identifiable or confidential information with third parties for any purpose.
Call Now Button