Health Insurance Portability and Accountability Act (“HIPAA”) complaints are generally of two types: (1) complaints by individual patients regarding violation of their HIPAA rights; and (2) complaints by office employees who use Protected Health Information (“PHI”) regarding security problems that may put PHI at risk.
The practice must provide each patient with a Notice of Privacy Practices that includes:
∙● A statement of the right to file a complaint;
● A brief description of the procedure to follow to file a complaint with the entity and with HHS;
●The name and contact number of the contact person in the office; and
● A statement that no retaliation will result in the event of a complaint. Patients should be informed that complaints may be filed in one of two ways: (1) by mail or electronically through the Office of Civil Rights to the Secretary of Health and Human Services (“HHS”); or (2) directly to the practice. The latter route is preferable, as resolving the matter internally may avoid an HHS investigation. Individuals who file complaints or participate in any manner in an investigation must not be intimidated, coerced, threatened or retaliated against.
Under the Privacy Rule, each practice must have:
● A designated Privacy Official to develop HIPAA-compliant policies and procedures;
● A contact person who receives complaints and provides information
● Procedures to document all complaints and their disposition; and
● Formal procedures to respond to security incidents and to mitigate the harmful consequences of these events.
In a small organization, the privacy official and the contact person can be the same individual. Using the full response and report procedure may not be necessary in addressing every complaint by individuals. While a formal investigation of a complaint may not be necessary, the following steps are required:
● Verify the facts;
● Take appropriate action;
● Notify the complainant of the actions taken; and
● Keep records of the complaint and its disposition for 6 years.
HIPAA also requires that employees report security incidents that may result in the improper disclosure of PHI to a security officer in the office, who may also be the person who served as the practice’s privacy/complaint official. A practice must develop a formal reporting procedure which indicates: (1) what incidents employees must report and to whom; (2) the form of the report; and (3) the time period within which the report must be filed. Not only should actual security breaches be reported, but also breaches of the practice’s PHI policies and procedures. The practice must also establish specific procedures to follow after the filing of a security report which specify: (1) who will investigate; (2) who will take remedial action; and (3) when disciplinary action is appropriate. The HIPAA Security Rule requires a progressive disciplinary policy against non-compliant employees to be in place. Reports of security incidents must also be retained for 6 years.
Practices must attempt to mitigate the potentially harmful effects of security incidents. They must take steps to ensure that the breach does not happen again and attempt to lessen the resulting harm. If identity theft could result, notification of both the injured party and law enforcement officials is appropriate. Except in cases of possible identity theft or unless a patient requests an accounting, the practice does not need to notify the patient of a security breach.
