Despite the Privacy Rule requiring healthcare organizations and health plans to provide information about how to make a HIPAA complaint, some individuals are unsure about the circumstances in which they can make a complaint, who they should make it to, and what information the complaint should include.
According to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations and health plans are required to make reasonable and appropriate efforts to ensure the confidentiality, integrity, and availability of individually identifiable health information relating to patients and plan members.
This not only means healthcare organizations, health plans, and their Business Associates must implement security measures to ensure only authorized persons have access to the information. The HIPAA Privacy Rule stipulates under which circumstances information can be used or disclosed without a written authorization from the patient or plan member it relates to.
Patients and plan members also have the right to review what individually identifiable health information is maintained in their “designated record set”, request corrections if something is wrong, and limit who the information is shared with. If an impermissible use or disclosure occurs – or the right to access your designated record set is denied – you can make a HIPAA complaint.
What Information is Covered by HIPAA?
With a few exceptions, information used in whole or in part to make healthcare and payment decisions should be maintained in a designated record set. Additionally, information that could identify an individual in relation to the past, present, or future provision of healthcare can also be considered Protected Health Information – even if it is not maintained in a designated record set.
The term Protected Health Information (PHI) is used to define what information is covered by HIPAA, and usually this will include all health information, patient histories, test results, and billing details, provided it is created, used, maintained, or disclosed by a HIPAA Covered Entity – HIPAA Covered Entities being health plans, healthcare clearinghouses, and most healthcare providers.
Business Associates – companies that provide a service for or on behalf of a Covered Entity – are also required to comply with the Privacy and Security Rules. This means that any PHI shared with or disclosed to a Business Associate is subject to the same privacy and security standards as if it were created, used, maintained, or disclosed by a Covered Entity – including the right of access.
The List of HIPAA Identifiers
Because different Covered Entities and Business Associates have different functions, it is not possible to compile a definitive list of what information is covered by HIPAA. Therefore, many organizations are guided by the list of HIPAA identifiers that must be removed from a designated record set before the record set is no longer subject to HIPAA privacy and security standards. The list of identifiers is:
- Dates, except year
- Telephone numbers
- Geographic data
- FAX numbers
- Social Security numbers
- Email addresses
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Web URLs
- Device identifiers and serial numbers
- Internet protocol addresses
- Full face photos and comparable images
- Biometric identifiers (i.e., retinal scan, fingerprints)
- Any unique identifying number or code
It is important to note that, if information relating to other individuals is included in the designated record set (i.e., names of spouses, employer´s telephone number, email addresses of household members, etc.) and this information could be used to identify the subject of the designated record set, it must also be removed to be no longer subject to the HIPAA standards.
Why Make a HIPAA Complaint?
Patients and health plan members can make a HIPAA complaint about any violation of HIPAA even if the violation of HIPAA doesn´t have a personal impact. Therefore, you can make a HIPAA complaint if you overhear a patient´s case being discussed by healthcare professionals, if you receive an email with someone else´s test results, or are dispensed someone else´s medication with your own.
While these types of events may not have a personal impact on you, they could if the situations were reversed – e.g., another patient overhears medical professionals discussing your case, your test results are emailed to a stranger – or potentially worse, someone you know – or a pharmacist dispenses your medication to somebody else and there is none left to dispense to you.
Making a HIPAA complaint about these types of events alerts the negligent party to the violation, enables them to implement safeguards to reduce the likelihood of them happening again, and helps better protect your individually identifiable health information from impermissible uses and disclosures. Therefore, making a HIPAA complaint is more than just a public service.
Who Should I File a HIPAA Complaint With?
The options exist to file a HIPAA complaint with the Covered Entity or Business Associate responsible for the violation, HHS´ Office for Civil Rights (OCR), or your local State Attorney General. In most cases, the severity of the violation will influence your decision of who to file a HIPAA complaint with, while some states´ privacy laws allow for a private right of action if you wish to pursue damages.
Therefore, if you overheard a discussion about another patient, and just want to raise your concerns with the healthcare facility, you would likely send an email to the facility´s Privacy Officer. If, however, the violation is more serious – or inappropriate discussions continue within earshot of other patients – you may wish to file a HIPAA complaint via the OCR Complaints Portal.
If you wish to pursue damages – and your state´s privacy laws allow it – you will need to file a HIPAA complaint with your State Attorney General as well as with OCR. Although OCR refers HIPAA violations which involve criminal activity to the Department of Justice, financial settlements from civil and criminal sanctions are not (currently) shared with victims of the violations.
What Information Should the Complaint Include?
Regardless of whether you make a HIPAA compliant to a Covered Entity, Business Associate, OCR or your State Attorney General, the information the complaint should include is mostly the same:
- Your name (anonymous complaints will not be acted on)
- Your phone number, address, and email address
- The name and address of the organization
- The date(s) on which the alleged violation(s) occurred
- A description of what happened and the consequences
- Any other information you feel is relevant to your complaint.
If you make a HIPAA complaint to OCR or your State Attorney General, you have to sign a consent form that allows the OCR and State Attorney General to disclose your Protected Health Information (if necessary) with the organization being investigated and with any other agencies that may become involved in the investigation (for example, the Department of Justice).
If you make a HIPAA complaint about an event that has not impacted you directly, you still have to complete the consent form. Even though your information may be shared with the violating organization, it is prohibited from discriminating against you by §160.316 of the HIPAA General Provisions. If you are discriminated against, you have further cause to make a HIPAA complaint.