How to Report a HIPAA Violation to Your State Board of Nursing (Step-by-Step)

Identify Relevant State Board of Nursing

If you witnessed a potential HIPAA violation by a nurse, begin by pinpointing which State Board of Nursing has authority. State Nursing Board Jurisdiction typically follows where the conduct occurred, but the board may also coordinate with the nurse’s home state if multistate licensure is involved.

Confirm the nurse’s identity and license details before you file. Use Nurse License Verification to capture the license number, legal name, and current status. If the individual is not a nurse or the event occurred outside nursing practice, the board may direct you to a different authority.

• Determine the state where the incident happened and where the nurse practices.
• Note the facility type (hospital, clinic, long-term care, telehealth) and the care setting.
• Record the role of each person involved (RN, LPN/LVN, APRN, student, supervisor).

Review Board Complaint Procedures

Every board publishes Complaint Submission Protocols. Read these closely to learn who may file, what the board accepts, and whether anonymous reports are allowed. Align your report with Nursing Regulatory Compliance expectations and the HIPAA Privacy Rule terminology used by the board.

• Identify required fields, supporting documents, and acceptable formats (PDF, image, narrative).
• Check instructions on confidentiality and how the board handles your identity.
• Review any guidance about parallel reporting to the employer’s privacy officer or other agencies.

Gather Detailed Incident Information

Assemble a precise, chronological account of the event. Focus on facts that show a Patient Confidentiality Breach (who disclosed what, to whom, when, where, and how) and the impact on the patient. Avoid speculation; stick to observable details.

• Key facts: dates/times, location, names/titles of individuals involved, and witness contact details.
• Evidence: copies of policies, written communications, or logs that corroborate your account.
• Privacy safeguards: de-identify whenever possible and include only the minimum necessary information.
• Do not create new disclosures—never post, share broadly, or remove original patient records from secure systems.

Translate clinical actions into clear language that ties to the HIPAA Privacy Rule (for example, verbal disclosure in a public area, accessing a record without a care-related need, or sharing screenshots outside secure channels).

Complete Official Complaint Form

Open the official form and complete every required item. Provide your full contact details unless the board explicitly allows anonymous filing and you choose that route. Use a concise narrative that makes it easy for reviewers to understand what happened and why it may violate HIPAA and professional standards.

• Start with a one-paragraph summary, followed by a dated timeline.
• Reference attachments by filename (e.g., “Attachment A – Unit Privacy Policy”).
• State how the conduct departs from Nursing Regulatory Compliance and the facility’s policies.
• Sign any attestations, acknowledgments, or releases the board requires.

Submit Complaint via Approved Channels

Send the complaint exactly as instructed—online portal, secure email, postal mail, or in person. Use the formats and file size limits specified by the board. Keep copies of everything you submit.

• Label files clearly and redact nonessential identifiers.
• Do not send original records you cannot replace.
• Request or note a confirmation number, case ID, or timestamped receipt.

Await Complaint Acknowledgment

After submission, the board typically issues an acknowledgment with a case number or status update. If you do not receive one within the timeframe described in the board’s instructions, follow up using the designated contact method.

• Preserve confidentiality and avoid discussing the case outside proper channels.
• Document any new, related events and note their dates/times.
• Be prepared to clarify details or provide additional materials if requested.

Understand Board Investigation Process

Boards use Disciplinary Investigation Procedures designed to assess jurisdiction, credibility, and potential violations of nursing law and rules. First, staff screen for State Nursing Board Jurisdiction and whether the allegations, if true, would violate professional standards or implicate the HIPAA Privacy Rule.

• Triage and screening: confirm jurisdiction and adequacy of information.
• Evidence gathering: obtain records, interview witnesses, and request a response from the nurse and employer.
• Analysis: compare facts to statutes, rules, and standards of Nursing Regulatory Compliance.
• Outcome: dismiss, issue non-disciplinary guidance, or pursue discipline (reprimand, education, fine, probation, suspension, or revocation).

If the board substantiates violations, final actions often appear in public records and may be reflected in Nurse License Verification. The board may also refer matters to other authorities when appropriate.

Summary

To report a HIPAA violation to your State Board of Nursing, identify the correct board, follow its Complaint Submission Protocols, provide a fact-based, minimally necessary account with supporting documents, submit via approved channels, and respond promptly to any follow-up. The board will determine jurisdiction, investigate, and decide on appropriate action to protect patients and uphold professional standards.

FAQs

What information is required to report a HIPAA violation?

You should provide the nurse’s name and role, relevant license details (from Nurse License Verification if available), a concise timeline of events, what protected health information was disclosed or accessed, how the HIPAA Privacy Rule may have been breached, witnesses, and supporting documents such as policies or messages. Include only the minimum necessary information and avoid creating new disclosures.

How do I find the correct State Board of Nursing?

Identify the state where the incident occurred and confirm where the nurse practices; that state’s board usually has primary jurisdiction. If multistate licensure or telehealth is involved, file with the board where the conduct happened—boards coordinate when needed. Use Nurse License Verification to confirm the license state and number.

Can complaints be submitted anonymously?

Many boards accept anonymous complaints, but policies vary. Anonymous reports may limit the board’s ability to verify facts or contact you for clarification, which can affect whether the case proceeds. Review the board’s Complaint Submission Protocols before deciding.

What happens after a complaint is filed with the Board of Nursing?

The board screens for jurisdiction, requests information as needed, and investigates by collecting records and statements. It then determines whether nursing laws or standards were violated and may dismiss, issue guidance, or impose discipline. Final outcomes are often public and may appear in Nurse License Verification.