The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

How Does OCR Deal with HIPAA Complaints?

Posted By on Jul 21, 2016

The Department of Health and Human Services’ Office for Civil Rights (OCR) encourages individuals to file complaints about HIPAA-covered entities, or their business associates, if they feel that their privacy has been violated. Individuals are also able to file complaints if they believe the privacy of other individuals have been violated.

Complaints about potential HIPAA violations are investigated by OCR, and while many prove to be unsubstantiated, oftentimes a HIPAA covered entity or an employee of that organization, is discovered to have violated patient privacy or breached HIPAA Rules.

OCR receives many complaints and the breach portal contains many hundreds of breach reports from covered entities that have experienced major breaches of PHI, yet only a tiny percentage result in civil monetary penalties being issued or financial settlements being agreed.

What happens to all the other complaints that involve violations of HIPAA Rules? What action does OCR take against covered entities that violate the privacy of patients or failed to adhere to HIPAA Rules?

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

In the vast majority of cases, HIPAA violations are not severe enough to warrant a civil monetary penalty or resolution agreement being issued. Most complaints are dealt with in a nonpunitive manner.

OCR attempts to resolve complaints by voluntary compliance whenever possible. Civil monetary penalties are usually only sought for willful violations of HIPAA Rules or when a covered entity fails to take action to address HIPAA Rule violations.

Oftentimes covered entities require help with addressing non-compliance and technical assistance is provided by OCR.

ProPublica Publishes Details of Closed HIPAA Complaints

ProPublica believes the public should have access to further information about substantiated complaints that have been made about HIPAA covered entities. When complaints are closed, OCR is required to disclose details of closed complaints to the public – on request – under the Freedom of Information Act.

ProPublica reporters have recently requested copies of letters sent to complainants notifying them of the closure of complaints and the findings of OCR investigations.

OCR has now provided a number of these letters to ProPublica with identifying information redacted. The letters explain the actions taken by OCR and the covered entity to correct non-compliance issues and further protect the privacy of patients.

At the time of writing, OCR has supplied 308 complaint closure letters. 53% of the complaints were resolved following voluntary corrective action that was taken by the covered entity. 47% of complaints required technical assistance to be provided by the OCR to the covered entity to bring policies and procedures up to the standard required by HIPAA.

The letters, and a summary, can be viewed here.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist