What happens after a HIPAA complaint is filed? Is there a specific timeline that a patient can expect to be followed? How should complaints be made in the first place?
Under HIPAA, all patients have the right to complain to healthcare organizations, health plans, or healthcare clearinghouses (all deemed to be HIPAA “Covered Entities”, CEs) or their Business Associates (BAs) if they have concerns about how their PHI is being handled. Details of how the patient can make a complaint should be provided alongside the Notice of Privacy provided when they first register with an organization. The Notice of Privacy will contain a variety of other details concerning how the patient’s data will be used and disclosed, and how patients can access their data.
Complaints should be directed to the HIPAA Privacy Officer or HIPAA Security Officer within an organization. These Officers (who may sometimes be combined into the single role of “HIPAA Compliance Officer”) are required under the HIPAA Privacy and HIPAA Security Rules, respectively. Their roles are varied, and though the Officers principally oversee the organization’s HIPAA compliance, they are also the point of contact for all employees, volunteers, students, and patients who have HIPAA-related concerns.
Once the Compliance Officer receives the complaint, they should send a receipt of the complaint to the patient. This is because, though HIPAA offers little guidance on the exact complaints procedure, it does stipulate that all complaints must be adequately documented.
The Compliance Officer can then start investigating the basis of the claim. In the first instance, they must establish whether there were “just grounds” for the complaint (that is, if a HIPAA violation even occurred). If the outcome of this investigation finds that there were no just grounds, then the patient should be notified of the outcome. They should also be provided with an explanation of this result.
When there is just cause, the Compliance Officer has a number of different options. If the violation was relatively minor, they may simply implement corrective actions (such as offering additional training to staff). In other cases, they may require that more severe disciplinary action is undertaken. If a serious violation has occurred, particularly if it resulted in a breach of protected health information, the Compliance Officer may escalate the complaint to the Office for Civil Rights(OCR) within the Department for Health and Human Services.
The OCR is the main body overseeing HIPAA enforcement. It is important to note that all violations that resulted in a breach of PHI must be reported to the OCR.
Though it is usually the case that patients will first file a complaint with the CE or BA that they suspect violated HIPAA, they also have the option of filing a complaint with the OCR. They may also pursue this route if they are unhappy with the outcome of the CE or BA’s internal investigation. State Attorney Generals also have the power to enforce HIPAA, though they usually require that patients pursue their complaints with the healthcare organization in the first instance.
Once the OCR receives the complaint, they, too, carry out an initial investigation to determine whether the complaint was justified. Incredibly, over two-thirds of the complaints made or referred to the OCR are dismissed as they were not made within the correct time frame (180 days of the incident occurring) or because the patient did not have just grounds for complaint.
Where the OCR determines that a violation has occurred, more often than not, they favor non-punitive remediations. They offer technical assistance to CEs or BAs, for example, or request that voluntary actions be undertaken (such as implementing additional safeguards). Typically, the more severe the breach, the more severe the penalty. The OCR and State Attorney Generals both have the power to issue punitive fines for severe HIPAA violations. Additionally, if the OCR suspects that criminal activity has taken place, they may refer the case to the Department of Justice (DoJ). The DoJ will then conduct its own investigations.