What Happens after a HIPAA Complaint is Filed?
What happens after a HIPAA complaint is filed can vary according to who it is filed with, whether or not the complaint is justified, and the nature of the complaint.
When you register with a healthcare provider or become a member of a group health plan, you are given a Notice of Privacy Practices. The Notice of Privacy Practices explains how the healthcare provider or health plan can use or disclose your health information and also what rights you have to restrict specific uses and disclosures and request a copy of any health information held about you.
The Notice of Privacy Practices should also provide details of who you can complain to if you think a healthcare provider or health plan has used or disclosed your health information impermissibly, or if your rights have been violated. Usually, the contact details are those of the organization´s Privacy Office and the Department of Health & Human Services´ Office for Civil Rights.
It is also possible to file a complaint with your State Attorney General. However, the majority of states require that you complain to the organization before filing a complaint with the State Attorney General. For this reason, it is important to keep copies of any correspondence between you and the organization, and records of who you spoke with and when if complaining by phone.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
What Happens after a HIPAA Complaint is Filed with an Organization?
There is no HIPAA-mandated process for what happens after a HIPAA complaint is filed with a healthcare provider or health plan, so the process is likely to vary from organization to organization. However, the Privacy Rule states that all complaints have to be documented, so the first thing that will happen is that you will receive an acknowledgement of your complaint.
Healthcare providers and health plans are aware that if they do not respond to your complaint satisfactorily and in a timely manner, you have the right to escalate the complaint to HHS´ Office for Civil Rights or your State Attorney General. As regulatory investigations can be disruptive and attract indirect costs, your complaint should be reviewed as a matter of priority.
If the review identifies a potential HIPAA violation, it will be investigated further. An investigation can result in several outcomes.
- If no violation is identified, you should receive a communication explaining why.
- If a minor violation is identified, the organization will likely take steps to rectify it.
- If a more serious violation is identified, the organization may escalate your complaint to HHS´ Office for Civil Rights for technical assistance or to report a data breach.
If you are dissatisfied with the response from your healthcare provider or health plan – or you fail to hear from them in a timely manner – you can escalate the complaint to HHS´ Office for Civil Rights or your State Attorney General. Unlike complaining to a State Attorney General, HHS´ Office for Civil Rights does not require you to have complained to the organization before complaining to them.
What Happens after a HIPAA Complaint is Filed with HHS´ Office for Civil Rights?
When a complaint is filed with HHS´ Office for Civil Rights, the complaint is reviewed to establish the agency has the authority to investigate, the complaint is made within 180 days of the alleged violation, and that the complaint relates to a violation of the Privacy, Security, or Breach Notification Rules. Around two-thirds of complaints are rejected at the review stage because the complaint is made against an organization not subject to HIPAA, is too late, or no violation has occurred.
If a complaint passes the review stage, HHS´ Office for Civil Rights will contact the healthcare provider or health plan to attempt an informal resolution to the complaint – for example, by providing technical assistance. If a more serious violation is identified, HHS´ Office for Civil Rights will conduct a full-scale investigation into the organization´s compliance, with the possible outcomes being technical assistance, a more formal corrective action plan, or a civil money penalty.
The process is much the same when a complaint is filed with a State Attorney General, and both the HHS´ Office for Civil Rights and State Attorneys General will inform a complainant of the outcome of their complaint once it is resolved. The only exception to this process is when a possible criminal violation of HIPAA is identified by either HHS´ Office for Civil Rights – in which case the complaint is escalated to the Department of Justice for investigation.
FAQs
How long does a HIPAA violation investigation take?
A HIPAA violation investigation takes as long as necessary to determine the cause of the violation. In many cases, HIPAA violations occur due to compliance shortcuts being taken “to get the job done”. If the shortcuts develop into a culture of non-compliance, the violation being investigated may be caused by an unrelated violation that also needs to be resolved.
What is the HIPAA complaint process when the violating entity is a business associate?
The HIPAA complaint process when the violating entity is a business associate depends on whether the business associate provides a service for one or multiple covered entities. In the event of providing a service to one covered entity, the HIPAA complaint process would follow the stages mentioned above with the covered entity acting as a middleman between HHS’ Office for Civil Rights and the business associate.
If the business associate provides a service to multiple covered entities, it is likely HHS’ Office for Civil Rights would deal directly with the business associate. However, if any covered entity is found to have known about an event or activity that violated HIPAA, they too could be penalized for failing to conduct due diligence on the business associate and monitor compliance with the Business Associate Agreement.
How does the HIPAA violation investigation process start?
The HIPAA investigation process starts with HHS’ Office for Civil Rights writing to the covered entity or business associate describing the acts and/or omissions that are the basis of a complaint. The organization is required to reply with any documents requested by HHS’ Office for Civil Rights and can – if necessary – state its own case against the complaint.
The HHS’ Office for Civil Rights will review the documents and any arguments against the complaint and determine if a violation has occurred. If so, the agency may attempt to resolve the violation through voluntary compliance and technical assistance – except in extreme cases, when it has the authority to impose a Corrective Action Plan and/or a civil monetary penalty.
How are potential HIPAA violations reported?
Potential HIPAA violations can be reported by individuals, organizations, or members of the workforce directly to HHS’ Office for Civil Rights via their online portal, mail, or fax. It is important to note that complaints must be filed within 180 days of when the complainant knew, or should have known, about the violation. The agency can then decide whether or not to proceed with an investigation based on the nature and severity of the reported violation.
What steps can healthcare providers take to avoid HIPAA violations?
Healthcare providers can help avoid HIPAA violations by regularly training staff on HIPAA regulations, implementing secure systems for storing and accessing PHI, conducting regular audits to detect and address potential security issues, having a clear protocol for reporting and managing potential breaches, and ensuring business associates are also compliant with HIPAA.
