Do you feel like your company or organization may be violating HIPAA regulations? You can file a HIPAA complaint with the Office for Civil Rights (OCR), Department of Health and Human Services. The OCR investigates complaints to ensure that covered entities are following HIPAA privacy, security, and breach notification rules.
This blog post will provide an overview of what to expect if you file a complaint with the OCR.
You will learn:
- What information needs to be included in your complaint
- The types of issues that can be reported under this process
- If you can file a complaint to the OCR anonymously
- Other ways you can file a HIPAA complaint
Let's get started.
What Can I File a Complaint About?
HIPAA was created to protect the privacy of patient health information and the security of that information. Covered entities must follow HIPAA rules
when using, storing, sharing, or transmitting this information.
The OCR investigates complaints where individuals feel their PHI has been used or disclosed in an unauthorized way, in a manner that does not comply with HIPAA rules. Here are some examples:
- A doctor shares an individual's health information with their spouse without the patient's consent
- An organization receives a complaint from a family member about how they share patient information when conducting research
- An individual request their PHI from a covered entity and is denied access
If you don't feel like your complaint falls under these examples, it's still possible that the OCR may investigate.
The OCR looks at all complaints submitted to determine if they fall within HIPAA guidelines and will add additional issues to the investigation if necessary.
What Information Do I Need To Include With My Complaint?
When filing a complaint by mail, email, fax, or through the OCR Complaint Portal, you need to include certain information to ensure the OCR is investigating the correct issue and individuals/companies.
Here's what you need to include:
- The name of the person or organization you are filing a complaint against
- The name of the individual who is filing the complaint (in most cases)
- Details about what happened during your interactions with specific covered entities or business associates, and when they occurred.
If you're filing your complaint through writing, you can also include:
- If you require special help for the OCR to communicate with you regarding your complaint
- The name and contact information for someone who can assist the OCR in reaching you if they can't reach you directly
- If you've already filed your complaint with someone else and where you've done so
Realize that you need to file your complaint within 180 days of when you knew that the HIPAA violation occurred
. In some cases, though, OCR may extend the 180-day period if you can show "good cause"
Another thing you need to know is that OCR doesn’t investigate HIPAA violations that occurred before the Privacy Rule and Security Rule took effect. The Privacy Rule
came into force on April 14, 2003, and the Security Rule on April 20, 2005. So, the OCR doesn’t look into breaches that happened before these dates.
Can I File a Complaint To the OCR Anonymously?
Note that the OCR does not look into complaints submitted without a name and contact information. Of course, you may be concerned about your name becoming public knowledge and receiving unwanted attention from the media.
So, if you want the OCR to keep your name and contact information private throughout the investigation, you may indicate so on the consent form.
If you deny consent, OCR will not reveal your name and private information to the covered entity or business associate you're lodging a complaint against.
The Exemptions Under the HIPAA Act That You Need To Know
There are three “accidental disclosure” exemptions under the HIPAA Act. These are some of the situations where you may not need to report a breach to the OCR:
- When there has been an unintended release of PHI by a person authorized to access the information at a covered entity or business associate, to someone else authorized to do so.
- When a workforce member or someone acting under the authority of a covered entity or business associate unintentionally gains access to PHI. But the acquisition of the health information needs to have been made in good faith and made within the scope of authority.
- When the covered entity (or business associate) has a good faith belief that the non-authorized person to whom the impermissible PHI disclosure was made would not have been able to retain that information.
Who Else Can I Submit a Complaint To?
There are a few different ways you can report HIPAA violations
. Although the OCR is the primary organization receiving complaints, there are other ways of filing a complaint if you do not feel comfortable going through this particular process.
The following list contains some alternative options:
Health Plan Auditors: Health Plan Auditors are auditing organizations that perform HIPAA compliance audits on health care plans. These organizations submit information about covered entities they have performed audits on to the OCR, but will also accept individual complaints. You may file a complaint online or by mail.
State Attorneys General: If you do not feel comfortable submitting your complaint to the OCR, you can contact your state's attorney general. The majority of states have an office dedicated to protecting the rights of their residents, and some will accept complaints about HIPAA violations.
Federal Trade Commission (FTC): If you feel like an individual or organization is abusing the privacy rule, you can submit a complaint with the FTC. Their goal is to protect consumers from "deceptive or unfair business practices." By filing a complaint with them, you may help the FTC take action against those who have violated HIPAA policies.
You can also report to your supervisor, your company's Privacy Officer, or the Compliance officer when you suspect there's a HIPAA breach in your organization.
After receiving a complaint, an organization has a duty to investigate the violation internally and determine whether the complaint meets the threshold for reporting under the breach notification rule.