When a HIPAA complaint is submitted, what happens next depends on who it is filed with, the nature of the complaint, and whether the complaint is valid.
After registering with a healthcare company or becoming a group health plan member, a person should receive a Notice of Privacy Practices. This Notice details what the healthcare company or health plan is allowed to do when it comes to using or disclosing health data and what are the rights related to restricting certain uses and disclosures and requesting a copy of the health data.
The Notice of Privacy Practices should additionally offer specifics of where you can file your complaint when you think a healthcare company or health plan has used or disclosed your health data impermissibly, or when your rights were violated. Typically, the contact information belongs to the company´s Privacy Office as well as the Department of Health & Human Services´ Office for Civil Rights (HHS OCR).
It is additionally possible to submit a complaint to the State Attorney General. Nevertheless, most states require filing a complaint at the organization prior to filing a complaint at the State Attorney General. Therefore, it is essential to retain copies of any communication with the company, and details of who you talked to and when was the complaint if by phone.
What Happens When Filing a HIPAA Complaint with an Organization?
There is no HIPAA-required process after filing a HIPAA complaint with a healthcare company or health plan. The process may differ from one company to another. Nevertheless, the Privacy Rule says that all complaints need to be recorded, therefore be sure to have an acknowledgment receipt of the complaint.
Healthcare companies and health plans know that in case they don’t reply to your complaint satisfactorily and promptly, you can elevate the complaint to HHS´ OCR or the State Attorney General. Consequently, as regulatory investigations could be troublesome and have indirect expenses, your complaint is going to be evaluated as soon as possible.
In case the review finds a likely HIPAA violation, it is going to be explored further. An investigation can have a number of results.
- When no violation is found, you ought to get a reply detailing why.
- When there is a minor violation, the company will likely do something to correct it.
- When there is a more serious violation, the company may elevate your complaint to HHS´ OCR for technical support or to submit a data breach report.
- When you are not satisfied with the reply from your healthcare company or health plan – or you do not hear from them promptly, the complaint can be escalated to HHS´ OCR or the State Attorney General. In contrast to filing a complaint with a State Attorney General, HHS´ OCR doesn’t require that you have filed a complaint to the company prior to filing a complaint with them.
What’s Next After Filing a HIPAA Complaint with HHS´ OCR?
After filing a complaint with HHS´ OCR, the agency reviews the complaint to make sure that it is authorized to investigate, that the complaint was filed within the period of 180 days from the claimed violation, and that the complaint is related to a breach of the Security, Privacy, or Breach Notification Rules. About 66% of complaints are invalidated at the evaluation phase due to either the complaint being filed against a company that is not covered by HIPAA, the filed complaint being too late, or there is no violation.
In case a complaint passes the evaluation phase, HHS´ OCR will get in touch with the healthcare company or health plan to make an informal solution to the complaint – for instance, by giving technical support. In case a more severe violation is discovered, HHS´ OCR will perform a complete investigation into the company´s compliance, with the likely consequences being technical support, a civil money penalty, or a more formal corrective action plan.
The process is quite similar if filing a complaint with a State Attorney General, the HHS´ OCR and State Attorneys General will notify a complainant about the result of their complaint as soon as it is ready. The only exemption to this process is if a potential criminal breach of HIPAA is determined by HHS´ OCR, where the complaint is elevated to the Department of Justice.