What happens once a HIPAA complaint is filed? Are there any set procedures in place? What can employees, patients, Covered Entities and Business Associates expect? We discuss what happens after a HIPAA complaint is filed here.
All patients have the right to register any HIPAA-related concerns and make complaints with an organization’s HIPAA Privacy Officer or HIPAA Security Officer (who may be called “HIPAA Compliance Officers”). The contact details of these Officers should be readily available to patients, and provided as part of the Notice of Privacy Practices given to patients when they first register with the healthcare plan or healthcare provider. This Notice of Privacy should also outline how the organization will use a patient’s PHI.
As State Attorney Generals are also responsible for HIPAA enforcement, patients have the option to lodge a complaint directly with them. However, in most States, the Attorney General requires the complainant to first lodge their complaint with the CE or BA. This can slow any remediation procedures. It also highlights the importance of maintaining good records of any correspondence between the patient and the CE/BA.
There are a number of possibilities after a patient has registered a complaint with the CE or BA. HIPAA does not provide any strict guidelines on the post-complaints procedure, aside from stating in the Privacy Rule that all complaints must be documented. Patients can therefore expect to receive a notification that their complaint has been received by the organization. The organization can then undertake their own internal investigation of your complaint.
During this investigation, the organization will determine if a violation took place. If they decide that a violation did occur, they will usually undertake corrective action and may discipline the negligent employee. If the violation is serious and resulted in a breach of PHI, the violation must be reported to the Department for Health and Human Services’ Office for Civil Rights.
Sometimes the organization fails to act on the complaint in a satisfactory manner or does not do so in an adequate amount of time. In these cases, the patient has the right to escalate the complaint to the Department for Health and Human Services’ Office for Civil Rights (or, as mentioned before, the State Attorney General).
Upon receiving the complaint, the OCR will determine whether it has the authority to investigate, the timespan of the complaint (the complaint must be filed with them within 180 days of the incident) and which HIPAA Rules may have been violated. The vast majority of complaints that the OCR receives are actually rejected, as they have been filed too late or do were not justified.
The OCR will undertake an investigation, resulting in one of the following outcomes:
- Determination that no violation occurred: If the OCR decides that the complaint was not justified as no HIPAA violation occurred, the patient will receive an explanation of why this is the case.
- Determination of minor violation: If the OCR determines that the complaint was justified and that a minor HIPAA violation occurred (e.g. if the violation did not result in a breach of PHI), the OCR will usually require that the organization implements a corrective action plan to rectify the issue.
- Determination of a major violation: If, after their investigation, the OCR determines that a major violation occurred, they may wish to fine the negligent organization. In some cases, if criminal activity is suspected, the OCR will liaise with the Department of Justice.
Often, the OCR will opt for an “informal” solution. That is, rather than issuing a fine, they try and ensure that the CE or BA has the correct technical assistance to rectify any issues that they have. They may also issue a corrective action plan that requires additional training, the implementation of additional safeguards, or other non-unitary actions.
Similar outcomes can occur when the complaint is made with the State Attorney General.