By Greg Freeman
Healthcare organizations should have a formal process in place for responding to HIPAA complaints to avoid having significant problems slip through the cracks and possibly result in penalties.
Possible HIPAA violations may be disclosed by an online consumer report to the agency, an internal audit conducted by a clinic or healthcare facility, or a targeted examination initiated by the Office for Civil Rights (OCR), thereby resulting in a formal investigation, says Richard F. Cahill, JD, vice president and associate general counsel with The Doctors Company, a malpractice insurer based in Napa, CA.
Given the serious ramifications of violating HIPAA, Cahill says practices are strongly encouraged to take these steps:
- Proactively develop written protocols to promote compliance with rules governing access, storage, use, and destruction of protected health information.
- Designate a specific individual as the HIPAA privacy and security officer, who thereafter should oversee the preparation of the procedures to be implemented and enforced.
- Conduct periodic audits to evaluate compliance and to ensure new federal guidelines are implemented in a timely manner.
- Institute training for onboarding all new employees as well as annual huddles to remind staff of existing policies and educate personnel concerning new rules.
- Take attendance at all annual huddles and carefully document the agenda of topics discussed. This is for the purposes of accountability, should an investigation reveal a privacy infraction.
Know Steps to Follow
In particular, office policies should identify the particular steps to be followed in the event of a data breach or notice of a complaint initiated by the OCR, Cahill says.
“Practices are strongly encouraged to notify their medical professional liability [MPL] carriers immediately, as there may be coverage available to retain counsel at no cost to the clinician to assist in addressing the violation and possible OCR investigation,” he says. “MPL policies and endorsements, however, ordinarily do not provide indemnity payments to satisfy administrative sanctions or fines.”
Cahill says clinicians should be aware that, as a collateral consequence of even an inadvertent disclosure of protected health information, a patient may pursue a civil action seeking monetary damages for breach of confidential personal data.
“With the advent of ubiquitous social media platforms, disgruntled individuals may also pursue separate redress in the forum of public opinion in an attempt to vent their anger at the expense of the provider’s reputation,” he says. “Familiarity with privacy laws, staff education, drafting of and periodic re-evaluation of internal practices, and staying current on the evolution of HIPAA obligations are critical for ongoing compliance.”
Provide a Complaint Process
A HIPAA-covered entity must provide a process for individuals to complain about the covered entity’s privacy policies or violations of those policies, says Katherine Hyde, JD, an attorney with the Coppersmith Brockelman law firm in Phoenix. HIPAA’s Privacy Rule does not specify what this complaint procedure should look like, but it should be addressed in the covered entity’s policies and procedures, she says.
“A covered entity may not require individuals to waive their right to complain as a condition of treatment, payment, or enrollment,” Hyde says. “Complaints should be submitted in writing, and covered entities should offer a complaint form and assistance in completing that form to individuals who complain verbally.”
A HIPAA-covered entity must designate a contact person or office who is responsible for receiving complaints and providing more information about the topics addressed in the HIPAA Notice of Privacy Practices, she says. That contact person could be the Privacy Officer or an employee who handles other types of patient-relations issues. Covered entities must document the designation of this person or office and retain that documentation for at least six years, she notes.
“After receiving a complaint, the Privacy Officer should promptly investigate the alleged privacy violation, consult with the appropriate supervisors or human resources personnel, and determine a disposition of the complaint,” Hyde says. “The Privacy Rule does not require a covered entity to respond to patient complaints within a particular period of time, apart from what may be required under HIPAA’s breach reporting provisions. However, we recommend responding in writing within 30 days or less so that individuals feel their complaints are resolved quickly.”
A covered entity must document all complaints it receives and the disposition of those complaints, and that documentation should be retained for at least six years, Hyde says. The Privacy Officer also should consider whether there has been a breach and if reporting or notice to individuals is required by HIPAA’s breach reporting requirements, she says.
Conduct Periodic Training
Prior to receiving complaint of an alleged HIPAA violation, the covered entity should have prepared by conducting periodic (at least annually) training to ensure that all individuals who handle medical information are properly trained about the requirements of HIPAA’s privacy, security, and breach requirements and any other relevant state and federal privacy laws, says Paul F. Schmeltzer, JD, senior attorney with the Clark Hill law firm in Los Angeles.
“The roles of a HIPAA Privacy Officer and a HIPAA Security Officer can be performed by the same person, though I do not recommend that a covered entity do this unless their practice is small,” Schmeltzer says. “This individual or individuals should be designated to receive and respond to all alleged HIPAA violations. The roles of the covered entity’s Privacy and Security Officer should be designated in the practice’s privacy HIPAA policies and procedures.”
HIPAA requires that the practice has an appropriate process in place for handling HIPAA complaints, he notes.
“In the event of a breach of confidentiality, it should be reported to the practice’s HIPAA Privacy Officer and HIPAA Security Officer immediately. The breach should be thoroughly investigated. I recommend that the covered entity document their investigation and findings in a written report, which can take the form of a variance or incident report,” Schmeltzer says. “The report should contain as much as detail as possible, including witness statements and other supporting documentation.”
The practice should retain a copy of the report and related documentation for a period of six years, he says. The investigation of a complaint alleging a HIPAA violation should try to determine whether a breach did in fact occur, Schmeltzer says. Health and Human Services (HHS) is clear that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity, under the four-factor breach risk assessment, demonstrates that there is a low probability that the protected health information has been compromised, he explains.
The four-factor breach risk assessment examines the nature and extent of the protected health information involved, the unauthorized person who used or received the protected health information, whether the protected health information actually was acquired or viewed, and the extent to which the risk to the protected health information has been mitigated, he says.
“There are fact patterns where, under the four-factor breach risk assessment, it is unlikely that a breach occurred,” Schmeltzer explains. “For example, if the protected health information was disclosed it to another HIPAA-covered organization or a federal agency that must abide by the Privacy Act, there is a lower probability that the PHI [protected health information] was compromised, and analysis under the four factors would indicate that the event did not rise to the level of a breach.”
Schmeltzer says it is important to note that there are three exceptions to the definition of a “breach” under the HIPAA Breach Notification Rule. If any of these exceptions apply to the covered entity, then they would not have to analyze the incident under the four-factor breach risk assessment.
“The exceptions include the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of the covered entity, if such acquisition, access, or use was made in good faith and within the scope of authority,” he says. “An inadvertent disclosure of protected health information by one person authorized to access protected health information at a covered entity to another person with the same authorization is also not a breach under HIPAA.”
Also, if the covered entity has a good-faith belief that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain the information, then the disclosure would not amount to a breach under HIPAA, Schmeltzer explains.
“If the covered entity, after conducting their investigation, determines that a breach under HIPAA occurred, the Privacy or Security Officer should take disciplinary measures against any individuals that it determined are responsible for a disclosure of confidential medical information. Disciplinary action should follow the covered entity’s written policy regarding sanctions for HIPAA violations,” he says. “The covered entity’s investigation should take every effort to maintain confidentiality of the allegations and the identities of the individuals involved. When interviewing employees, they should be reminded to maintain confidentiality and refrain from discussing the allegation and investigation with employees, friends, and family.”
The covered entity should follow up with the individual with the complaint alleging a HIPAA violation and inform them of their investigation’s findings and any disciplinary action taken by the practice, Schmeltzer says. Since there is no private right of action for individuals under HIPAA, HHS OCR is the body responsible for investigating complaints and imposing civil sanctions. Therefore, the individual should be made aware that they can lodge a complaint with HHS OCR in writing or electronically, he says.
“The covered entity’s staff should remember that, under HIPAA, the practice cannot retaliate against an individual for filing a complaint alleging a violation of HIPAA,” Schmeltzer says.
A covered entity’s written policy that details the process for addressing HIPAA complaints should state that no retaliatory action will be taken against a patient, their representative, or a workforce member for lodging a complaint, says Layna Cook Rush, CIPP/US, CIPP/C, shareholder with the Baker Donelson law firm in Baton Rouge, LA. The policy also should ensure that complaints are addressed quickly and should include who is involved in addressing the complaint, she says.
“Also, even if the complaint is without merit, the organization should respond in writing,” Rush says. “The substance of the complaint, the investigation, the resolution, and correspondence with the complainant should be maintained in the entity’s files for six years.”
The covered entity can request that the person making the complaint provide a written statement, but if the complainant will not do so, then the covered entity should ensure the allegations are documented, she says.
The complaint may be an opportunity to review current policies and procedures to determine if they are adequate or should be revised, Rush says. If a workforce member was the cause of the violation, that individual may need to be sanctioned in accordance with the organization’s sanction policy, she says.
“If, after investigation, the organization determines that there has been no violation of policy or law, it should explain why it reached that conclusion in the written communication, Rush says.
Covered entities and business associates should follow a structured process to ensure compliance and proper resolution when responding to a HIPAA complaint, reacting quickly and maintaining transparency throughout the process to uphold compliance with HIPAA regulations, says Justin Russell, JD, of counsel with the Kaufman Dolowich law firm in Orlando, FL. From inception to resolution, an appropriate response flow would include documentation and policy review; a thorough compliant assessment; a formal investigation; corrective action, resolution and response; communication of findings; and reporting.
“Prevention is always the best medicine,” Russell says. “To avoid future complaints, be sure to regularly conduct training sessions on HIPAA compliance for all employees, focusing on areas relevant to the complaint and remediation. Continuously update privacy policies and procedures to prevent future violations and ensure alignment with current regulations and best practices.”
Sources
- Richard F. Cahill, JD, Vice President and Associate General Counsel, The Doctors Company, Napa, CA. Telephone: (800) 421-2368.
- Layna Cook Rush, CIPP/US, CIPP/C, Shareholder, Baker Donelson, Baton Rouge, LA. Telephone: (225) 381-7043. Email: [email protected].
- Katherine Hyde, JD, Coppersmith Brockelman, Phoenix, AZ. Telephone: (602) 381-5471. Email: [email protected].
- Justin Russell, JD, Kaufman Dolowich, Orlando, FL. Telephone: (954) 224-1313. Email: [email protected].
- Paul F. Schmeltzer, JD, Clark Hill, Los Angeles. Telephone: (213) 417-5163. Email: [email protected].
Healthcare organizations should have a formal process in place for responding to HIPAA complaints to avoid having significant problems slip through the cracks and possibly result in penalties.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.