HIPPA Complaints
Is your practice prepared if the federal government comes calling? By Kate L Bechen, JD
We are seeing an up tick in complaints, investigations and enforcement actions under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Under HIPAA, patients can file a complaint with the Office for Civil Rights (“OCR”) if they believe their privacy rights have been violated. While this right is not new, it is getting more attention as a result of stepped-up enforcement actions in the health care industry and increasing concern over patient privacy. Another fact behind the growing interest in HIPAA enforcement is the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”).
When OCR receives a patient privacy complaint, an investigator determines whether the allegations, if true, would constitute a violation of HIPAA or HITECH. If “yes,” OCR issues a letter to the provider listing the complainant’s allegations, explaining OCR’s enforcement authority, the investigation process, potential penalties, response deadlines, contact information for the OCR investigator, and a document request list. OCR does not investigate the truth of the allegations until after receiving the provider’s response.
Smaller practices without an internal legal department should contact their attorney upon receipt of a letter from OCR. Involving your attorney from the start ensures a complete, timely and appropriate investigation, response, and follow-up. The standard response deadline is 14 days from the date of the letter.
Every complaint letter should be taken very seriously, even if the allegation is unfounded. Complaint letters will include a data request addendum which may vary slightly depending on the nature of the alleged breach. Nearly all complaint letters include the following data requests:
Name, title and telephone number of provider’s contact person for the investigation (this could be the privacy officer or attorney).
Position statement in response to allegation.
Copy of HIPAA policies and procedures covering use and disclosure of protected health information (“PHI”).
Mitigation policy and procedures.
Copy of any internal complaint filed by complainant.
Description of investigation.
Remedial action taken, if any.
Additional relevant information.
Often the provider has already performed a breach investigation, but sometimes the complaint letter is the first notice of the alleged breach, especially in the case of frivolous complaints. While each investigation is unique, there are several steps that every provider should take to investigate the alleged breach.
Follow any and all applicable policies and procedures.
Determine if and when the breach occurred.
Determine which individuals were involved and what PHI was affected.
Determine the length of time the PHI was unsecured and who had access during that time.
Perform a risk assessment to evaluate potential risks to affected individuals.
Thoroughly document the entire investigation process.
Once the investigation concludes, determine what, if any, mitigation efforts are necessary.
If PHI of more than just the complainant was disclosed, determine if/when/how the additional individuals should be contacted.
Consider offering credit monitoring services.
Consider whether compensation of affected individuals is appropriate (only do so in consultation with an attorney).
Determine when HHS should be notified of the breach (this will depend on the number of patients involved).
Determine whether media must be notified of the breach.
Determine whether employees involved in the breach should be disciplined and/or terminated.
Schedule training sessions to address the breach and discuss new policies and procedures implemented to prevent future breaches.
Consider reaching out directly to the patient.
OCR’s subsequent review of the provider’s response may take several months, depending upon the complexity of the issues and the investigator’s workload. OCR’s primary concern is to make sure any breach is appropriately addressed and any harmful effects properly mitigated. A prompt, thorough, well-documented response goes a long way toward avoiding formal enforcement action. Even in situations where the provider realizes, as part of the investigation, that a complete overhaul of its HIPAA policies and procedures is necessary, OCR is generally receptive to prompt corrective action. That said, don’t be lax in annually reviewing your HIPAA policies and procedures, and make sure an attorney or experienced privacy officer has reviewed and updated your policies since the adoption of HITECH.
Document Actions