August 9, 2017

What is the HIPAA Complaint Process?

Robinson+Cole Data Privacy + Security Insider

+ Follow Contact

Send

Embed

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. Any person who believes that a covered entity or business associate is not complying with HIPAA may file a complaint with OCR (complaints may also be submitted directly to a covered entity). Here is a high-level overview of the OCR complaint process from intake and review through investigation and resolution:

Intake and Review. During this step, OCR reviews the complaint to determine whether it can or will take action. OCR may take action on a complaint if it meets the following conditions:

The activity took place after HIPAA’s effective dates: April 14, 2003 for violations of the Privacy Rule and April 20, 2005 for violations of the Security Rule;
The complaint is filed against an entity that is required to comply with HIPAA’s Privacy Rule and Security Rule;
The complaint alleges an activity that, if true, would be a violation of HIPAA’s Privacy Rule or Security Rule; and
The complaint is filed within 180 days of the date the person knew or should have known of the violation. OCR has discretion to waive this requirement for good cause.

If the complaint includes a possible criminal violation, OCR can report the complaint to the U.S. Department of Justice (DOJ) for review. If the DOJ declines the case, it can return the complaint to OCR for possible investigation.

Investigation. OCR will notify an individual if their complaint has been accepted. The named organization will also be notified. Both the organization and the complainant may be asked to provide information about the alleged incident which may include the circumstances surrounding the incident as well as the organization’s related policies, procedures and practices.

Resolution. After OCR reviews the information provided during the investigation, it may attempt to resolve the case by obtaining resolution in the form of voluntary compliance, corrective action, and/or a resolution agreement. OCR also has authority to impose civil monetary penalties (CMPs) on the entity allegedly responsible for the violation. Entities who may be facing CMPs may have additional rights, such as the right to a hearing before an administrative law judge to determine whether the penalties are supported by the evidence.

Approximately 62 percent of complaints filed with OCR since April 14, 2003 have been determined by OCR not to be eligible for enforcement. According to OCR’s website, some of the most frequently investigated compliance issues relate to improper use or disclosure of health information, lack of safeguards to protect health information, and lack of patient access to health information.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Robinson+Cole Data Privacy + Security Insider

Contact + Follow

less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Increased visibility
Actionable analytics
Ongoing guidance

Learn More

Published In:

Complaint Procedures

+ Follow

Cyber Attacks

+ Follow

Data Breach

+ Follow

Health Care Providers

+ Follow

Health Insurance Portability and Accountability Act (HIPAA)

+ Follow

HIPAA Breach

+ Follow

OCR

+ Follow

PHI

+ Follow

Health

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

less

Robinson+Cole Data Privacy + Security Insider on:

What is the HIPAA Complaint Process?

Latest Posts

Written by:

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Published In:

Robinson+Cole Data Privacy + Security Insider on:

"My best business intelligence, in one easy email…"