How Does OCR Deal with HIPAA Complaints?

The Department of Health and Human Services’ Office for Civil Rights (OCR) encourages individuals to file complaints about HIPAA-covered entities, or their business associates, if they feel that their privacy has been violated. Individuals are also able to file complaints if they believe the privacy of other individuals have been violated.

Complaints about potential HIPAA violations are investigated by OCR, and while many prove to be unsubstantiated, oftentimes a HIPAA covered entity or an employee of that organization, is discovered to have violated patient privacy or breached HIPAA Rules.

OCR receives many complaints and the breach portal contains many hundreds of breach reports from covered entities that have experienced major breaches of PHI, yet only a tiny percentage result in civil monetary penalties being issued or financial settlements being agreed.

What happens to all the other complaints that involve violations of HIPAA Rules? What action does OCR take against covered entities that violate the privacy of patients or failed to adhere to HIPAA Rules?

In the vast majority of cases, HIPAA violations are not severe enough to warrant a civil monetary penalty or resolution agreement being issued. Most complaints are dealt with in a nonpunitive manner.

OCR attempts to resolve complaints by voluntary compliance whenever possible. Civil monetary penalties are usually only sought for willful violations of HIPAA Rules or when a covered entity fails to take action to address HIPAA Rule violations.

Oftentimes covered entities require help with addressing non-compliance and technical assistance is provided by OCR.

ProPublica Publishes Details of Closed HIPAA Complaints

ProPublica believes the public should have access to further information about substantiated complaints that have been made about HIPAA covered entities. When complaints are closed, OCR is required to disclose details of closed complaints to the public – on request – under the Freedom of Information Act.

ProPublica reporters have recently requested copies of letters sent to complainants notifying them of the closure of complaints and the findings of OCR investigations.

OCR has now provided a number of these letters to ProPublica with identifying information redacted. The letters explain the actions taken by OCR and the covered entity to correct non-compliance issues and further protect the privacy of patients.

At the time of writing, OCR has supplied 308 complaint closure letters. 53% of the complaints were resolved following voluntary corrective action that was taken by the covered entity. 47% of complaints required technical assistance to be provided by the OCR to the covered entity to bring policies and procedures up to the standard required by HIPAA.

The letters, and a summary, can be viewed here.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.