How to File a HIPAA Complaint
HIPAA gives individuals the right to file a HIPAA complaint against Covered Entities and Business Associates if they believe a violation of HIPAA has occurred. However, despite being provided with information explaining this right, some individuals remain unsure what a HIPAA violation is, who do you file a HIPAA complaint with, and how you do it.
The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers and health plans to make reasonable and appropriate efforts to ensure the confidentiality, integrity, and availability of individually identifiable health information. The Act also gives patients and plan members the right to see what information is maintained about them, request corrections if any information is inaccurate or incomplete, and know who their information has been shared with.
To ensure patients and plan members are aware of how their information is used and what their rights are, healthcare providers and health plans are required to give each new patient or enrollee a Notice of Privacy Practices. The Notice of Privacy Practices should explain what uses and disclosures of their individually identifiable health information are permitted by HIPAA, how individuals can exercise their HIPAA rights, and how they can file a HIPAA complaint if a HIPAA violation occurs.
Unfortunately, many Notices of Privacy Practices fail to fully explain what a HIPAA violation is. Consequently, two-thirds of HIPAA complaints received by HHS´ Office for Civil Rights are rejected because no violation has occurred or because they are not “eligible cases for enforcement action” – i.e., the use or disclosure of individually identifiable health information is permitted by the Privacy Rule or the complaint made against an organization not subject to the HIPAA Rules.
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
What is a HIPAA Violation?
A HIPPA violation is any act – or failure to act – which contravenes a HIPAA standard. The failure to face workstations away from public view, implement integrity controls, and deploy automatic logoff on devices with access to health information are all examples of HIPAA violations that won´t necessarily result in an impermissible use or disclosure of individually identifiable health information, but which would be grounds for an individual to file a HIPAA complaint.
More common reasons for individuals filing a HIPAA complaint include events that do result in an impermissible use or disclosure, disclosing more than the minimum necessary information, and failing to respond to health information access requests. However, it is not surprising that two-thirds of complaints are rejected because it can be quite difficult to understand the definition of individually identifiable health information and what uses and disclosures are permitted.
Individually Identifiable Health Information
Individually identifiable health information is health information created or received by a healthcare provider or health plan that can identify an individual. However, in order for it to be subject to the standards of the HIPAA Privacy and Security Rules, the information has to relate to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of healthcare.
If the information is not created or received by a healthcare provider or health plan, does not identify an individual – either on its own or when combined with other data maintained in the same designated record set – and does not relate to individual´s condition or the provision of – or payment for healthcare – it is not usually considered to be individually identifiable health information or Protected Health Information (PHI) except in specific circumstances.
One specific circumstance relates to baby walls. If a mother sends a photo of her newborn child to an obstetrician, although it is “received by a healthcare provider” it is not usually included in a designated record set, and not considered to be PHI. This changes if the photo is put on public display as it identifies an individual who has been the past recipient of treatment. Consequently, the photo is not a permitted disclosure of PHI without the mother´s written authorization.
Required, Permitted, and Authorized Uses and Disclosures
The General Principles for Uses and Disclosures govern which uses and disclosures of PHI are required, permitted, or require authorization. Disclosures of PHI are only required in two scenarios – when access to PHI in a designated record set is requested by an individual exercising their patients´ rights, and when HHS´ Office for Civil Rights requires access to PHI on order to conduct an audit, an investigation, or a compliance review after issuing a Corrective Action Plan.
The permitted uses and disclosures of PHI are mostly for treatment, payment, and health care operations (i.e., provider or health plan performance evaluation, credentialing, and accreditation). However, healthcare providers and health plans are also permitted to disclose PHI to report abuse, to engage in health oversight activities, to support law enforcement operations, and when required by law for anything from compliance with workers´ comp laws to judicial proceedings.
Any use or disclosure of PHI that is neither required nor permitted requires written authorization from the individual or their legal representative. Uses or disclosures that require authorization include disclosing PHI to a prospective employer, using PHI for marketing purposes, disclosing PHI to a life insurer for coverage purposes, and – as mentioned above – putting a picture of a newborn child on a baby wall which is exposed to public view.
Protected Health Information Identifiers
When you file a HIPAA complaint, one of the questions you are asked is “how and why do you believe your (or someone else´s) health information privacy rights were violated?” Unless you are filing a HIPAA complaint because your right to access PHI was declined, may you need to be aware of what information is protected by the PHI Identifiers – items that must be removed from a designated record set before any information remaining in the set is no longer protected. These are:
- Names – including the names of any other person that might be used to identify the individual (spouse, employer, household members, etc.).
- All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes.
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, and date of death.
- Telephone and FAX numbers – again including numbers of any other person that might be used to identify the individual.
- Email addresses.
- Social Security numbers.
- Medical record numbers.
- Health plan beneficiary numbers.
- Account numbers.
- Certificate/license numbers.
- Vehicle identifiers and serial numbers including license plates.
- Device identifiers and serial numbers.
- Web URLs.
- Internet protocol (IP) addresses.
- Full face photos and identifiable images (i.e., scars, tattoos, jewelry, birthmarks, etc.).
- Biometric identifiers (i.e., retinal scan, fingerprints).
- Any other unique identifying number, characteristic, or code.
Why File a HIPAA Complaint?
Individual motives for filing a HIPAA complaint can vary according to the circumstance; however, most HIPAA complaints are made to prevent data leaks (e.g., impermissible uses and disclosures) rather than data breaches – which are usually reported directly to HHS´ Office for Civil Rights by the Covered Entity or Business Associate responsible for the breach. Importantly, you can file a HIPAA complaint even if the violation of HIPAA doesn´t have a personal impact on you.
Why might you file a HIPAA complaint if the violation of HIPAA doesn´t have an impact on you? Well, if you overhear medical professionals discussing another patient´s case, receive an email containing another patient´s test results, or are dispensed another patient´s medication with your own, consider what the impact might be if the medical professionals were discussing your case, a work colleague received your test results, or your medication was not available because of an error.
Therefore, filing a HIPAA compliant about any type of HIPAA violation – even if it doesn´t impact you directly – can be worthwhile. It will alert your healthcare provider or health plan to the violation, give them an opportunity to implement safeguards to reduce the likelihood of the violation happening again, and help better protect your PHI from impermissible uses and disclosures. The next question is who you file a HIPAA complaint with.
Who Do You File a HIPAA Complaint With?
Who you file a HIPAA complaint with can also vary according to the circumstance. For example, if a photo of your newborn child has gone on public display without your authorization, you may be annoyed about it, but only so much so that you file a HIPAA complaint with your obstetrician´s Privacy Officer (whose contact information should have been included in the Notice of Privacy Practices given to you when you first visited the obstetrician).
If the HIPAA violation is of a more serious nature – or the Privacy Officer fails to respond to your initial complaint – you can escalate the complaint to HHS´ Office for Civil Rights via the online Complaints Portal. HHS´ Office for Civil Rights will review your complaint, advise you whether you have an eligible complaint, and – if so – commence an investigation into the complaint. Please note, there is no time limit for how long it may take to resolve your complaint.
You can also file a HIPAA complaint with your state´s Attorney General. This is more likely a option if your state has passed a privacy law that allows a private right of action to seek damages. You will need to sign a consent form to allow your state to share your PHI with any investigating agencies, and you should also tell the state that you have filed a HIPAA complaint with HHS´ Office for Civil Rights to prevent any investigation into the violation being duplicated.
What to Include When You File a HIPAA Complaint
Whether you file a HIPAA complaint with a healthcare facility, a health plan, HHS´ Office for Civil Rights, or your State Attorney General – and regardless of whether your complaint relates to a personal impact or an event impacting somebody else – you should always include the following information:
- Your name (anonymous complaints will not be investigated)
- Your address, telephone number, and email address
- The name and address of the organization the complaint is about
- The date(s) on which the alleged violation(s) occurred
- A description of what happened and why you feel your rights (or somebody else´s rights) were violated
The OCR´s Complaints Portal also contains a series of optional questions in case you need special accommodations such as a hard copy of the complaint form in braille, in large print, or in a language other than English. HHS´ Office for Civil Rights also allows you to file a HIPAA complaint via fax, email, or mail, but – if you are using one of these options – you will also have to print, complete, sign, and return a separate consent form for HHS to share your PHI with investigating agencies.
With regards to a healthcare provider or health plan finding out your have filed a HIPAA complaint with HHS´ Office for Civil Rights or State Attorney General, Covered Entities and Business Associates are not allowed to threaten, intimidate, coerce, harass, or discriminate against an individual who files a complaint under §160.316 of the HIPAA provisions. Any Covered Entity or Business Associate who violates this HIPAA standard will be subject to increased enforcement action.