All patients have the right to complain to a Covered Entity or Business Associate if they have concerns over HIPAA compliance within the organization. But what happens after a HIPAA complaint is filed? Is there a timeline that the complaints procedure should follow? What can patients expect?
First, we will give a brief overview of the HIPAA complaints procedure. Upon registering with a health plan or healthcare organization, patients should be provided with a Notice of Privacy outlining how their data will be used, who can access it, and – importantly – to whom complaints should be directed within the organization. HIPAA requires that all CEs and BAs appoint a HIPAA Privacy Officer and HIPAA Security Officer. In some instances, particularly in smaller organizations, these may be combined into a single role of “HIPAA Compliance Officer”.
The duties of this Compliance Officer are varied – for example, they oversee HIPAA training within the workplace – but, crucially, they are the point of contact for any patient concerned with HIPAA compliance. The contact details of this Officer should be easily accessible to patients and provided alongside the Notice of Privacy.
The Compliance Officer should be the first port of call for all patients concerned with HIPAA compliance. However, in some cases, patients can file complaints directly with the Office for Civil Rights (OCR) within the Department for Health and Human Services. The OCR is the main body responsible for enforcing HIPAA. State Attorney Generals also have HIPAA enforcement capabilities, and patients can file complaints with the Attorney Generals if they so wish. However, the majority of States require that the complaint is made to the healthcare organization or health plan before being escalated to the Attorney General’s Office.
Aside from stipulating that all complaints should be documented, HIPAA does not offer any guidance on how Compliance Officers should handle complaints. Even so, all patients should expect to receive a notification that their complaint has been received after they lodge it.
After receiving a complaint, the Compliance Officer will undertake an investigation to assess whether a HIPAA violation occurred. This may involve steps such as talking to the employees involved in the complaint, or checking logs to see who had access to PHI. In many cases, the Compliance Officer will determine that no violation occurred. If this is the case, the patient should receive a detailed explanation as to why this conclusion was reached.
In other cases, the Officer may decide that the violation was “minor”, particularly if it did not result in a breach of PHI. To resolve such complaints, the CE or BA may commit to providing extra training, or implementing more safeguards to protect PHI. If the Officer determines that a violation was “major” (usually meaning that PHI was accessed by unauthorized individuals), they may then refer the complaint to the OCR. All violations that result in a breach of PHI must be reported to the OCR.
Sometimes, the patient may be dissatisfied with the conclusions of the HIPAA Compliance Officer. If this is the case, they may then make a complaint with the OCR or the State Attorney General. If the complaint is escalated to the OCR, this must be done within 180 days of the original incident.
Once they have the complaint, whether it was referred by the CE or BA or made directly by the patient, OCR (or Attorney General) will then conduct their own investigation. The first step is to assess whether a violation occurred. Indeed, nearly two-thirds of the complaints made to the OCR are dismissed because they were not valid complaints (or because they were not made in time).
If the OCR determines that a complaint is valid, they have a number of different options. In many cases, particularly for minor violations, the OCR will liaise directly with the CE or BA and offer technical assistance or support to rectify the problem. They may also issue “corrective action plans” to be implemented by the organization. These “informal” solutions are favored by the OCR.
In more extreme cases, the OCR or Attorney General may issue the CE or BA with a financial penalty. These penalties are tiered in line with the severity of the violation. Additionally, if they suspect that criminal activity occurs, they may refer the case to the Department of Justice.