Private practices top the list as the most common covered entities required to take corrective action under HIPAA. Here are ways to protect yourself.
How you address patient HIPAA issues, as well as the effectiveness of your HIPAA compliance efforts, can reduce your risk of being subjected to an investigation. All it takes is a single complaint to HHS or a breach report filed by your practice to start an investigation. Fortunately, there are steps your practice can take to avoid this.
Filing a HIPAA complaint is quick and easy through HHS’ toll-free number or using the agency’s paper or online form, and even a dedicated e-mail address. Your HIPAA Notice of Privacy must notify patients of that right as well as the option of filing a complaint with your own privacy officer.
It’s important that your practice effectively supports a patient’s right to take this step and be responsive to any such complaints. Many practices do not have a HIPAA complaint form easily accessible to patients. Many practice staffers and physicians aren’t familiar with the rights of patients to file a complaint.
Make sure your staff knows how to connect the patient with your privacy officer and how the patient can file a complaint outside of the practice. If your complaint process is difficult, your patients may go directly to HHS to trigger an investigation.
Next: Handling things in-house
If your practice receives a complaint, you should:
Should the patient also file the complaint with HHS, your practice will be able to provide its response, thereby demonstrating your due diligence and HIPAA compliance.
HHS says the problems that have triggered the most investigations are impermissible use and disclosure of information, lack of safeguards, and lack of patient access to information.
After OCR has received a complaint, the agency verifies that the complaint involves a practice or hospital and has been filed on a timely basis, generally within 180 days of the event. If the initial requirements are not met, the complaint is not pursued.
Next: Laying out the investigation plan
OCR will request information about the complaint. This request will specify the issue and the information needed, as well as a response due date, typically 30 days after the request. Requested information could include documents, logs, and HIPAA manuals. Information from your practice management system and electronic health record (EHR), such as a copy of the document involved in the complaint may be requested as well.
According to HHS, the initial review may include:
The investigator will seek next to develop a “voluntary action plan or letter” to resolve the complaint. This is where most practices arrive at an agreement and complete the investigation.
If the issue isn’t resolved, OCR will arrange for an site visit. The investigator may:
After the visit, the investigator will analyze the issues and formally document the findings. The investigator may prepare several supporting documents including an action memorandum and investigative report.
The action memorandum documents the complaint issues and includes a draft agreement or other actionable items, including a more serious violation letter of findings.
Next: Avoiding HIPAA complaint investigations
Practices may receive technical assistance from OCR to address the problem or a more serious notification of an enforcement violation for failing to comply with HIPAA and other deficiencies. The draft is then finalized with a determination whether a violation occurred.
Ron Sterling, CPA,MBA, is president of consulting firm Sterling Solutions in Silver Spring, Maryland. Send your practice management questions to email@example.com.
Avoiding HIPAA complaint investigations
|Making HIPAA part of your service strategy||Maintaining a responsive and timely complaint management process||Cooperating with OCR|
|Avoiding situations that lead to impermissible uses and disclosures or HIPAA privacy and security events requires complying with standard HIPAA rules on a consistent and diligent basis. In the event of a complaint, maintaining the proper HIPAA compliance program for your practice will provide important documentation to OCR, demonstrates your due diligence, and may speed resolution of an investigation.||The filing of a complaint with your practice should trigger a timely and effective complaint-handling process that keeps the person filing the complaint informed and is sensitive to his or her concerns. From physicians and staff who can guide the patient or other party on how to file a complaint and handle it at the practice level to a privacy officer who works with the complainant to address the concerns and avoid similar events in the future, your internal process may satisfy their concerns without resorting to an OCR complaint.|
The OCR case resolution manual and process emphasizes cooperation with practices to resolve complaints. Your practice may be able to address the issue quickly with a voluntary action plan without proceeding to more extensive investigations and onerous sanctions.
The more effective your practice’s HIPAA compliance effort, the lower the odds of a complaint or violation triggering an investigation. Make sure your practice is constantly working on compliance as well as avoiding situations that can lead to patient complaints and OCR investigations.