How to protect your practice from HIPAA investigations

How you address patient HIPAA issues, as well as the effectiveness of your HIPAA compliance efforts, can reduce your risk of being subjected to an investigation. All it takes is a single complaint to HHS or a breach report filed by your practice to start an investigation. Fortunately, there are steps your practice can take to avoid this.

Know the process

Filing a HIPAA complaint is quick and easy through HHS’ toll-free number or using the agency’s paper or online form, and even a dedicated e-mail address. Your HIPAA Notice of Privacy must notify patients of that right as well as the option of filing a complaint with your own privacy officer.

Safeguarding your medical practice from HIPAA violations

It’s important that your practice effectively supports a patient’s right to take this step and be responsive to any such complaints. Many practices do not have a HIPAA complaint form easily accessible to patients. Many practice staffers and physicians aren’t familiar with the rights of patients to file a complaint.

Make sure your staff knows how to connect the patient with your privacy officer and how the patient can file a complaint outside of the practice. If your complaint process is difficult, your patients may go directly to HHS to trigger an investigation.

Next: Handling things in-house

Handling things in-house

If your practice receives a complaint, you should:

• Contact the patient as soon as possible to gather information on the incident and convey your commitment to addressing the situation. The privacy officer should also explain your internal process.

• Keep the patient informed about the status and resolution of the complaint as well as, if necessary, the breach notification.

• Formally notify the patient about your findings and response to his or her complaint. Your response should help the patient understand the situation and your efforts to address any problems and issues. Note that many complaints may not involve a problem but merely a patient’s lack of understanding of your HIPAA obligations and their rights.

• Maintain documentation for the practice on the response to the complaint and any remediation effort so as to avoid similar problems in the future.

• Ensure that practice leadership regularly reviews both the status of complaints and the practice’s response to them as part of the HIPAA monitoring effort.

The battle over EHR patient data

Should the patient also file the complaint with HHS, your practice will be able to provide its response, thereby demonstrating your due diligence and HIPAA compliance.

OCR investigations

HHS says the problems that have triggered the most investigations are impermissible use and disclosure of information, lack of safeguards, and lack of patient access to information.

After OCR has received a complaint, the agency verifies that the complaint involves a practice or hospital and has been filed on a timely basis, generally within 180 days of the event. If the initial requirements are not met, the complaint is not pursued.

Next: Laying out the investigation plan

OCR will request information about the complaint. This request will specify the issue and the information needed, as well as a response due date, typically 30 days after the request. Requested information could include documents, logs, and HIPAA manuals. Information from your practice management system and electronic health record (EHR), such as a copy of the document involved in the complaint may be requested as well.

Defending your practice against HIPAA violations

According to HHS, the initial review may include:

• analyzing the submitted information to determine if OCR can resolve the issue;

• requesting additional information to problems or deficiencies noted in your response to OCR; and

• acquiring additional information and/or conducting interviews by phone as needed to determine the proper handling of the complaint.

The investigator will seek next to develop a “voluntary action plan or letter” to resolve the complaint. This is where most practices arrive at an agreement and complete the investigation.

Top 15 challenges facing physicians this year

If the issue isn’t resolved, OCR will arrange for an site visit. The investigator may:

• Interview just about anyone in your practice, including managers, the HIPAA privacy officer, computer support staff, clinical staff, doctors and front desk staff.

• Observe operations to understand the environment that led to the complaint.

After the visit, the investigator will analyze the issues and formally document the findings. The investigator may prepare several supporting documents including an action memorandum and investigative report.

The action memorandum documents the complaint issues and includes a draft agreement or other actionable items, including a more serious violation letter of findings.

Next: Avoiding HIPAA complaint investigations

Practices may receive technical assistance from OCR to address the problem or a more serious notification of an enforcement violation for failing to comply with HIPAA and other deficiencies. The draft is then finalized with a determination whether a violation occurred.

Ron Sterling, CPA,MBA, is president of consulting firm Sterling Solutions in Silver Spring, Maryland. Send your practice management questions to [email protected].

Avoiding HIPAA complaint investigations

The OCR case resolution manual and process emphasizes cooperation with practices to resolve complaints. Your practice may be able to address the issue quickly with a voluntary action plan without proceeding to more extensive investigations and onerous sanctions.

The more effective your practice’s HIPAA compliance effort, the lower the odds of a complaint or violation triggering an investigation. Make sure your practice is constantly working on compliance as well as avoiding situations that can lead to patient complaints and OCR investigations.