Patients have the right to file a complaint when they believe your organization has mishandled their information or otherwise violated the HIPAA rules. Patients may mail, fax, or email a complaint to your organization or file one through the OCR’s Complaint Portal. Their complaint describes what your organization did that they believe violated their HIPAA privacy rights.
Conducting an Internal Investigation
When you receive a HIPAA complaint, you (the Privacy Officer) must conduct an internal investigation. Go through the following steps in a timely manner:
- Date stamp and log the complaint.
- Provide written notice to the patient acknowledging that you received their complaint.
- Find out who was involved and whether or not your policies and procedures were violated.
- If a violation has not occurred, date stamp the complaint and consider it closed, and then send a written notice to the complainant detailing the findings and resolution.
- If a violation has occurred:
- Speak to and take statements from the responsible parties. If the violation was caused by a business associate, forward the complaint to them, log the complaint as being forwarded, and notify the complainant.
- Discover the root cause of the violation.
- Take actions to mitigate harm.
- Update your policies and procedures to address any omissions that may have contributed to the complaint.
- Pass the results to HR for disciplinary action, if necessary.
- Retrain your staff.
- After the investigation, notify the complainant in writing as soon as feasible and explain your findings, as well as what you will do to prevent it from happening in the future.
- And finally, collect documentation related to the investigation and any resolutions for your files.
Cooperating with the OCR
If the complainant isn’t satisfied with your investigation and findings, they may forward their complaint to the Office for Civil Rights. The Secretary HHS will then decide if the complaint meets their criteria for acceptance. If the OCR investigates, you will have to submit to their investigation process, which begins with you submitting a current investigation of the complaint.
Additional OCR investigation may include a review of your policies and procedures or a visit to your facility. Be responsive and compliant in the process. Do not try to retaliate against the patient who complained. A lack of cooperativeness will only hurt your organization and invite further fines and penalties from OCR.
(Keep in mind, actions taken before April 14, 2003, aren’t subject to OCR investigations or enforcement actions because that was the cut-off date for complying with the HIPAA Privacy Rule.)
At the end of the investigation, the OCR will issue a letter describing the resolution. They will direct you on how to address any issues that the complainant identified. Make sure you voluntarily comply with the HIPAA rules, take any required corrective action, and agree to the OCR’s settlement.
If the OCR imposes a civil monetary penalty, your organization may request a hearing. In this case, an HHS administrative law judge decides if the penalties are warranted or not.
Patients have the right to complain to their providers about how their information has been used or handled, or if they have been denied a privacy right. This is an important way of empowering patients and keeping covered entities accountable for their actions.
Make sure you document all complaints your organization receives and any complaint resolutions and maintain documentation for six years.