How to Handle A HIPAA Privacy Complaint
Healthcare providers need to be prepared to deal with a HIPAA privacy complaint from a patient. In order for an efficient response to be conducted, policies should be developed covering the complaints procedure and staff must be trained to handle HIPAA privacy complaints correctly.
Patients must also be clearly informed how they can make a HIPAA privacy complaint if they feel that their privacy has been violated or HIPAA Rules have been breached. This should be clearly stated in your Notice of Privacy Practices.
A HIPAA Privacy Complaint Should be Taken Seriously
When a HIPAA privacy complaint is filed, it is important that it is dealt with quickly and efficiently. Fast action will help to reassure patients that that you treat all potential privacy and security violations seriously.
While patients may be annoyed or upset that an error has been made, in many cases, patients are not looking to cause trouble. They want the issue to be investigated, any risks to be mitigated, the problem to be addressed to ensure it does not happen again, and in many cases, they seek an apology. If the complaint is dealt with quickly and efficiently, it may not be taken any further.
If a verbal complaint is made, the patient should be asked to submit the complaint in writing. You should provide a form for the patient to do this. The HIPAA privacy complaint form can then be passed on to your Privacy Officer to investigate.
Investigate All Complaints and Take Prompt Action
All HIPAA privacy complaints should be investigated to determine who was involved, and how the privacy of the patient was violated. The privacy breach may not be a one-off mistake. It could be an indication of a widespread problem within your organization. The Privacy Officer must identify the root cause of the privacy violation and take action to ensure that any issues are corrected to prevent similar privacy breaches from occurring in the future.
All individuals involved in the breach must be identified and appropriate action taken – disciplinary action and/or additional training. A report of the incident should be given to law enforcement if a crime is suspected, and policies and procedures may need to be updated to introduce new safeguards to prevent a recurrence.
The Privacy Officer will need to determine whether there has been a HIPAA breach, and if the incident must be reported. The investigation must determine whether any other patients are likely to have had their privacy violated. If so, they will need to be notified within 60 days.
If a HIPAA breach has occurred, the Breach Notification Rule requires covered entities to report the breach to OCR without unnecessary delay. State laws may also require healthcare organizations to notify appropriate state attorneys general of the breach.
A breach impacting 500 or more individuals must be reported to OCR within 60 days of the discovery of the breach, and within 60 days of year end for smaller breaches. The failure to investigate promptly may see that deadline missed. In 2017, OCR issued its first HIPAA penalty solely for a Breach Notification Rule violation.
It is important that all stages of the complaint and investigation are documented. Those documents are likely to be requested in the event of an audit or investigation by OCR or state attorneys general. If any documents are missing, that aspect of the complaint investigation cannot be easily proven to have taken place.
Once the investigation into the HIPAA privacy complaint has been completed, it is important to report back to the complainant and explain that their complaint has been investigated, and the actions taken to mitigate harm and prevent similar incidents from occurring in the future should be explained.
Summary of How to Correctly Handle a HIPAA Complaint
- Request the HIPAA privacy complaint is made in writing
- Pass the compliant to the Privacy Officer
- Privacy Officer should find out who was involved and what PHI was breached
- The root cause of the breach must be established
- Action should be taken to mitigate harm
- Pass information to HR to take disciplinary action against employees (if appropriate)
- Report the breach to law enforcement (if appropriate)
- Policies and procedures should be updated to prevent a recurrence
- Retrain staff
- Determine whether the breach is a reportable incident
- Collate all documentation in relation to the breach and investigation
- Contact the complainant and explain the findings of the investigation
If the breach is determined to be a reportable incident
- Submit a breach report to OCR
- Submit breach reports to appropriate state attorneys general
- Provide a toll-free number for patients to find out more information
- Notify all affected individuals by mail
- Post a breach notice in a prominent place on the home page of your organization’s website for 90 days if current contact information for 10 or more individuals is not held
If the breach is discovered to affect more than 500 individuals
- Issue a press release to a prominent media outlet
Privacy Violations Can Result in Financial Penalties
When patients believe their privacy has been violated, or HIPAA Rules have been breached, they may report the incident to the Department of Health and Human Services’ Office for Civil Rights. Some patients may choose to take this course of action rather than contact the covered entity concerned.
OCR is likely to take an interest in an organization’s HIPAA policies covering privacy complaints. Financial penalties await organizations that do not have documented policies and procedures in place, and the penalties for HIPAA violations can be severe.
OCR wants to see that complaints are treated seriously, they are adequately investigated and resolved, and that prompt action is taken to ensure they do not happen again. A fast and efficient response to a HIPAA privacy complaint – and correction of any HIPAA violations uncovered – will reduce the risk of a HIPAA violation penalty, and the amount of the penalty if it cannot be avoided.