What happens after a HIPAA complaint is filed with HHS’ Office for Civil Rights is that the complaint goes through a process established by the HIPAA Enforcement Rule (2006) and fine-tuned by the HIPAA Final Omnibus Rule (2013). The process can be found in §160.300 of the HIPAA Administrative Simplification Regulations, and consists of:
- Initial Intake
- Review of Complaint
Initial Intake and Review
The initial intake filters out complaints made against organizations that do not qualify as covered entities or business associates, or that are out of date. HHS’ Office for Civil Rights has no jurisdiction over non-covered organizations, and §160.306(b)(3) of the Administrative Simplification Regulations states:
“A complaint must be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred, unless this time limit is waived by the Secretary [of Health and Human Services] for good cause shown.”
If a complaint passes the initial intake filter, it is reviewed to determine whether the activity described in the complaint violates any HIPAA Rules. More than two-thirds of HIPAA complaints filed with HHS’ Office for Civil Rights are rejected because either they are made against organizations that do not qualify as covered entities or business associates, they are out of date, or the activity described in the complaint is not a violation of HIPAA.
Determination and Investigation
Prior to the passage of the HITECH Act (and the consequent changes made to HIPAA via the Final Omnibus Rule), HHS’ Office for Civil Rights had the discretion to choose which HIPAA complaints were formally investigated. In practice, the agency conducts a preliminary investigation of all complaints and pursues a formal investigation when the facts indicate a possible violation of HIPAA.
The HITECH Act introduced a clause into §1176 of the Social Security Act which requires HHS’ Office for Civil Rights to formally investigate and penalize any covered entity or business associate that violates HIPAA due to “willful neglect”. Note: The clause does not distinguish between HIPAA violations attributable to willful neglect that are not rectified, or that are rectified within 30 days.
Consequently, since the publication of the HIPAA Final Omnibus Rule, HHS’ Office for Civil Rights prioritizes HIPAA violations due to willful neglect whether brough to the agency’s attention via a complaint or a compliance review. Thereafter, HHS’ Office of Civil Rights has the discretion to determine which complaints it will investigate, although it still conducts preliminary investigations on all complaints that indicate a possible violation of HIPAA.
The change to the Social Security Act also required HHS’ Office for Civil Rights to change the language of the Enforcement Rule inasmuch as it previously “will” attempt to resolve all complaints by informal means such as voluntary compliance, whereas now it “may” attempt to resolve all complaints by informal means – and in the majority of investigations, this is the eventual outcome.
However, in around 25% of investigations, the outcome is corrective action – typically a Corrective Action Plan which is monitored by HHS inspectors for a period of up to two years. If a covered entity or business associate fails to comply with a Corrective Action Plan or continues to violate HIPAA after the initial investigation, the agency has the authority to impose a civil monetary penalty.
The exception to this process is when it becomes evident that an individual or an organization has knowingly and wrongfully disclosed individually identifiable health information for personal gain, commercial advantage, or to cause malicious harm. In such circumstances, complaints are referred to the Department of Justice under §1177 of the Social Security Act to be criminally investigated.
What Happens after a HIPAA Complaint is Filed with a Covered Entity?
Not all HIPAA complaints are directed to HHS’ Office for Civil Rights because individuals can also file complaints with the covered entity at which a violation is alleged to have occurred. Covered entities are required to publish the contact details of the individual responsible for receiving complaints (usually the Privacy Officer) in their Notice of Privacy Practices, and some covered entities exploit this requirement to include the contact details for the Privacy Officer, but not HHS’ Office for Civil Rights.
The reason for doing this is that HHS’ Office for Civil Rights will consider a covered entity’s previous compliance history when calculating the scope of a Corrective Action Plan or the amount of a civil monetary penalty. If the covered entity has managed to keep the majority of HIPAA complaints “in-house”, there will be very little compliance history for HHS’ Office of Civil Rights to consider. (Note: this “ruse” can backfire if a covered entity fails to resolve a complaint to the satisfaction of the complainant and it is escalated to HHS’ Office for Civil Rights).
What happens after a HIPAA complaint is filed with a covered entity varies from covered entity to covered entity as each has its own process for handling complaints. It is likely that a large number of HIPAA complaints are rejected on initial intake and review for the same reasons as HHS’ Office for Civil Rights rejects HIPAA complaints. Nonetheless, reviewing complaints, responding to complainants, and investigating complaints that justify an investigation is time-consuming.
How to Minimize HIPAA Complaints
Dealing with HIPAA complaints – whether they come from an individual directly or via HHS’ Office for Civil Rights – is not only time-consuming, but costly. Furthermore, when HIPAA complaints are justified, they can result in the need to revise policies and procedures, retrain members of the workforce, and monitor workforce compliance with the policies and procedures – notwithstanding that justified HIPAA complaints can also result in civil monetary penalties.
The best way to minimize the costs associated with HIPAA complaints is to minimize the number of HIPAA complaints. This can be achieved by better educating members of the workforce on HIPAA-related topics so they can explain the Notice of Privacy Practices to patients, answer questions, and resolve privacy concerns before they deteriorate into complaints.
This requires the provision of HIPAA training beyond that required by the Privacy and Security Rules, but many covered entities and business associates do not have the resources to provide additional training due to the resources being diverted to dealing with HIPAA complaints. One solution is to contract an online training specialist or compliance expert to provide the training on the organization’s behalf. In many cases, this can be the most cost-effective option.