Medical Lab is seriously violating HIPAA but refuses to change

[throwaway12453]

I'm in a serious situation where I discovered early on in my time at a medical research lab that my employers are storing their patient information (life events, phone numbers, names, dicoms) through unsecure means (like Dropbox, but also on a variety of other methods), which is 100% not approved by the institution and I'm positive this is not HIPAA safe. I brought this to my PI's attention and she was completely dismissive of the problem. She said it's not something to worry about even though I told her I spoke with the privacy department at our institution and they confirmed if we were doing the exact things we are doing then we are violation of HIPAA. It's not even a question of if I misunderstood something. This violation is obvious and at a massive scale. What I want to know is: What is the most likely scenario if I report them? Will I face ramifications in any way if I'm the one reporting? I'm a pretty low level staff member at the lab.

State: CA

 

[Just Blue]

I'm in a serious situation where I discovered early on in my time at a medical research lab that my employers are storing their patient information (life events, phone numbers, names, dicoms) through unsecure means (like Dropbox, but also on a variety of other methods), which is 100% not approved by the institution and I'm positive this is not HIPAA safe. I brought this to my PI's attention and she was completely dismissive of the problem. She said it's not something to worry about even though I told her I spoke with the privacy department at our institution and they confirmed if we were doing the exact things we are doing then we are violation of HIPAA. It's not even a question of if I misunderstood something. This violation is obvious and at a massive scale. What I want to know is: What is the most likely scenario if I report them? Will I face ramifications in any way if I'm the one reporting? I'm a pretty low level staff member at the lab.

What state?

 

[quincy]

Your employer cannot retaliate against you for reporting a HIPAA violation.

Here is a link to the complaint process and filing a complaint:

https://www.hhs.gov/hipaa/filing-a-complaint/index.html

 

[PayrollHRGuy]

For the record, there is no reason the use of Dropbox can't be HIPAA compliant.

 

[FlyingRon]

What sort of "medical research labs?" Are you even a covered entity under HIPAA? Just because you have human patients doesn't necessarily make you one, you have to be involved with electronic medical billing.

 

[quincy]

What sort of "medical research labs?" Are you even a covered entity under HIPAA? Just because you have human patients doesn't necessarily make you one, you have to be involved with electronic medical billing.

Even if not a HIPAA-covered entity (and apparently the "privacy department of the institution" believes it is), California's privacy laws are potentially violated by the medical research lab's treatment of patients' personal identifying documents.