HIPAA Violation Response Checklist: What To Do When Rights Are Violated
Use this HIPAA Violation Response Checklist to act quickly and correctly when your rights—or a patient’s rights—are violated. It explains HIPAA complaint procedures, covered entity obligations, breach notification requirements, and the investigation protocols and corrective action plans that bring you back into compliance.
Filing a HIPAA Complaint
Where and when to file
- File with the provider’s or health plan’s Privacy Officer and/or directly with the U.S. Department of Health and Human Services Office for Civil Rights (OCR).
- File as soon as possible—HIPAA generally allows 180 days from when you knew of the violation, though OCR may extend for good cause.
What to include
- Describe what happened, when it occurred, and who was involved.
- Identify the specific protected health information (PHI) exposed or mishandled.
- Attach supporting evidence (emails, screenshots, letters, billing statements).
- State the harm or risk created and the outcome you seek.
Tips for a strong submission
- Be factual and chronological; avoid speculation.
- Keep copies of everything you submit and note dates of all communications.
- If applicable, also notify any business associate involved so it can alert the covered entity as required.
Covered Entity's Response to Violations
Immediate containment
- Stop the unauthorized use or disclosure and secure systems or records at risk.
- Preserve evidence (access logs, audit trails, emails) to support investigation protocols.
Risk assessment and breach analysis
- Assess the nature and extent of PHI involved, the unauthorized recipient, whether the PHI was viewed or acquired, and mitigation actions taken.
- Determine if an incident is a reportable breach under HIPAA or a non-breach event that still requires remediation.
Notification to individuals
- Provide clear, written notice that explains what happened, the types of PHI involved, steps individuals should take, what you are doing to mitigate harm, and contact information.
- Offer support such as credit monitoring when appropriate.
Leadership and oversight
- Engage the Privacy and Security Officers, compliance, IT, and legal counsel.
- Document decisions and rationales to demonstrate covered entity obligations were met.
Internal Complaint Handling Procedures
Intake and triage
- Log every complaint; acknowledge receipt to the complainant promptly.
- Classify severity, scope, and potential harm; escalate urgent matters immediately.
Investigation workflow
- Assign an impartial investigator with authority to access records and systems.
- Collect and preserve evidence, interview involved staff, and document findings.
- Apply written investigation protocols to ensure consistency and completeness.
Resolution and feedback
- Issue findings, corrective action plans, and timelines.
- Communicate outcomes to the complainant where permitted and close the case with a full record.
Reporting to HHS and Media
Reporting to HHS (OCR)
- For breaches affecting 500 or more individuals, report to HHS without unreasonable delay and no later than 60 calendar days from discovery.
- For breaches affecting fewer than 500 individuals, maintain a breach log and submit it to HHS within 60 days after the end of the calendar year in which the breach was discovered.
Media notification
- If a breach affects more than 500 residents of a state or jurisdiction, notify prominent media in that area in addition to individual notices.
Business associates
- Business associates must notify the covered entity of breaches they discover, supplying the information needed for downstream notices.
Investigation and Documentation
Structured fact-finding
- Create a timeline from incident discovery to closure, including key decisions and approvals.
- Corroborate facts using system logs, access reports, ticketing systems, and witness statements.
Decision records
- Record the breach determination analysis, mitigation steps, and notification decisions.
- Retain all HIPAA-related documentation, including policies and notifications, for at least six years from the date of creation or last effective date.
Root cause analysis
- Identify process, training, or control failures; map each failure to a corrective action.
- Define metrics to verify effectiveness (e.g., access exceptions, training completion, audit results).
Corrective Actions and Training
Corrective action plans
- Implement administrative, technical, and physical safeguards aligned to the root cause.
- Update or create policies, procedures, and sanctions; document all actions taken.
Targeted workforce training
- Deliver role-based training on PHI handling, minimum necessary, and incident reporting.
- Reinforce breach notification requirements and how to escalate potential violations.
Monitoring and verification
- Conduct follow-up audits, access reviews, and simulated exercises to validate compliance.
- Report progress to leadership and adjust corrective action plans as needed.
Non-Retaliation Policy
HIPAA prohibits intimidation or retaliation against anyone who files a complaint, participates in an investigation, or opposes unlawful practices. Your non-retaliation policy should state these protections plainly, define reporting channels, and outline consequences for violations.
- Communicate the policy during onboarding and annual training; make reporting options accessible.
- Protect the complainant’s confidentiality to the extent possible and monitor for adverse actions.
- Document all steps taken to prevent and address retaliation immediately.
In summary, act fast to contain the issue, follow documented investigation protocols, meet all covered entity obligations for notification, and implement corrective action plans that prevent recurrence. Consistent documentation and a strong non-retaliation culture demonstrate accountability and sustain compliance.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
FAQs.
How do I file a HIPAA violation complaint?
Submit a written complaint to the provider’s or health plan’s Privacy Officer and/or file with HHS’s Office for Civil Rights. Include a clear description of what happened, dates, people involved, the PHI affected, and any evidence. File promptly—generally within 180 days of when you knew about the violation—and keep copies of everything you send.
What steps must a covered entity take after a HIPAA breach?
Contain the incident, conduct a risk assessment, determine if it is a reportable breach, notify affected individuals, report to HHS (and media when required), mitigate harm, and implement corrective action plans with follow-up training and monitoring. Document each step and decision throughout.
How long does the covered entity have to report a breach to HHS?
For breaches affecting 500 or more individuals, report without unreasonable delay and no later than 60 calendar days from discovery. For breaches affecting fewer than 500 individuals, log them and report to HHS within 60 days after the end of the calendar year in which the breach was discovered.
What protections do I have against retaliation for filing a HIPAA complaint?
HIPAA bars covered entities and their business associates from intimidating, threatening, coercing, discriminating against, or retaliating against you for filing a complaint or participating in an investigation. Organizations must maintain and enforce a written non-retaliation policy and promptly address any adverse action.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
