When a HIPAA privacy complaint is submitted, it is vital that it is dealt with quickly and efficiently. Fast action will help to reassure patients that that you deal with all potential privacy and security violations properly.
While patients may be annoyed or stressed that a mistake has occurred, in many instances, patients are not looking to cause trouble. They want the issue to be reviewed, any risks to be mitigated, the problem to be addressed to ensure it does not happen another time, and in many instances, they seek an apology. If the complaint is dealt with quickly and efficiently, it may not be taken beyond this.
If a verbal complaint is submitted, the patient should be asked to submit the complaint officially in writing. You should supply a form for the patient to do this. The HIPAA privacy complaint form can then be passed on to your Privacy Officer to review.
Review All Complaints and Take Swift Action
All HIPAA privacy complaints should be reviewed to determine who was involved, and how the privacy of the patient was breached. The privacy breach may not be a one-off error. It could be an indication of a widespread problem within your group. The Privacy Officer must identify the source of the privacy violation and take action to ensure that any issues are corrected to stop similar privacy breaches from occurring in the future.
All individuals involved in the breach must be listed and appropriate action taken – disciplinary action and/or additional training. A report of the incident should be submitted to law enforcement if a crime is suspected, and policies and procedures may need to be updated to introduce new safeguards to stop a recurrence.
The Privacy Officer will need to find out whether there has been a HIPAA breach, and if the incident must be reported. The investigation must deduce whether any other patients are likely to have had their privacy breached. If so, they will need to be notified within 60 days.
If a HIPAA breach has taken place, the Breach Notification Rule requires covered entities to report the breach to OCR without unnecessary delay. State legislation may also require healthcare organizations to notify appropriate state attorneys general of the violation.
A breach affecting over 500 individuals must be reported to OCR within 60 days of the discovery of the breach, and within 60 days of year end for smaller violations. The failure to investigate promptly may see that deadline missed. In 2017, OCR released its first HIPAA penalty solely for a Breach Notification Rule breach.
It is important that all stages of the complaint and investigation are recorded. Those documents are likely to be asked for in the event of an audit or investigation by OCR or state attorneys general. If any documents are missing, that aspect of the complaint investigation cannot be easily shown to have taken place.
Once the review into the HIPAA privacy complaint has been finished, it is important to report back to the original complainant and explain that their complaint has been looked into, and the actions taken to mitigate damage and stop similar incidents from occurring in the future should be outlined.
Summary of How to Properly Handle a HIPAA Complaint
- Ask that the HIPAA privacy complaint is Sade in writing
- Send the compliant to the Privacy Officer
- Privacy Officer should find out who was involved and what PHI was violated
- The root cause of the breach must be deduced
- Action should be taken to mitigate damage
- Pass details to HR to take disciplinary action against employees, if appropriate
- Report the breach to law enforcement agencies, if appropriate
- Policies and procedures should be updated to stop a recurrence
- Retrain staff in HIPAA
- Determine if the breach is a reportable incident
- Gather all documentation in relation to the breach and review
- Get in touch with the complainant and explain the findings of the investigation
If the breach is found to be reportable:
- Send a breach report to OCR
- File breach reports to appropriate state attorneys general
- Make a toll-free number available for patients to find out more information
- Notify all impacted individuals by mail
- Place a breach notice in a prominent place on the homepage of your organization’s website for 90 days if current contact information for 10 or more people is not held
If the breach is found to impact over 500 individuals
- Share a press release to a prominent media outlet
Privacy Breaches Can Lead to Financial Penalties
When patients believe feel their privacy has been breached, or HIPAA Rules have been violated, they may report the incident to the Department of Health and Human Services’ Office for Civil Rights. Some patients may opt to take this course of action rather than contact the covered entity concerned.
OCR is likely to take an interest in an group’s HIPAA policies covering privacy complaints. Fines await groups that do not have documented policies and procedures in place, and the penalties for HIPAA violations can be major.
OCR wants to see that complaints are treated properly, they are adequately reviewed and resolved, and that prompt action is taken to ensure they do not occur again. A quick and efficient response to a HIPAA privacy complaint – and correction of any HIPAA breaches uncovered – will reduce the danger of a HIPAA violation penalty, and the amount of the penalty if it cannot be prevented.