Instances of non-compliance with HIPAA should first be reported to:

In the context of reporting non-compliance with HIPAA, the correct process often begins at the supervisory level. Reporting to a supervisor is typically appropriate because they can provide immediate support and guidance on how to handle the situation. Supervisors are generally trained to recognize compliance issues and are responsible for managing their team's adherence to regulations, thus ensuring that reports are escalated to the appropriate individuals or departments if necessary.

The supervisor can facilitate the next steps, whether that means escalating the matter to the institution's privacy officer or another relevant authority. They serve as a critical link in the chain of communication within the organization, allowing for prompt action to address potential violations of HIPAA regulations.

In contrast, while institutional privacy officers, enforcement agencies like the Office for Civil Rights, or the Department of Health and Human Services play essential roles in addressing compliance violations, the initial reporting typically goes through the immediate supervisory structure. This ensures that issues are handled efficiently and locally before escalating to larger umbrella organizations or governmental bodies.