The Health Insurance Portability and Accountability Act (HIPAA) became law in 1996 and heralded a shift in the relationship between patient health information and privacy. In the 22 years since HIPAA became law, it has undergone a number of transformations in both the requirements set forth in the law and how they are enforced. In this article, well be primarily focusing on the complaints process for HIPAA violations. Individuals and organizations have the ability to file complaints for violations of HIPAA. If complaints are found to be substantiated there can be hefty penalties levied against the violating entity. As such, it is important for both individuals and organizations to understand what the HIPAA complaints process is, how one can file a HIPAA complaint, and who investigates HIPAA complaints.
HIPAA: Background Information
Before diving into the complaints process embedded in HIPAA, it is helpful to first gain a better understanding of what HIPAA itself is and how it has changed over time. HIPAA was implemented in the mid-1990s as a first step towards securing sensitive patient health information during a period of rapid technological innovations. During this time digital technology quickly began to be integrated into the healthcare sector. Health care providers began to transition to digital health record keeping. Prior to HIPAA, there was a federal law that set forth requirements for the protection of protected health information (PHI).
Also Read: Top 5 Components of HIPAA Privacy Rule
When it was first introduced, HIPAA sought to fulfill two primary functions. First, it ensured that employees wouldnt lose their health coverage when transitioning between jobs. This provided an important level of healthcare security to private citizens and allowed for more fluidity in the US employment market. However, when it came to securing PHI, HIPAA lacked the regulatory structure and enforcement mechanisms necessary for adequate implementation. In order to address this shortcoming, a number of different supplements to HIPAA have been passed over the years. Over time, HIPAA has been buttressed by a Privacy Rule, Security Rule, Enforcement Rule, Breach Notification Rule, and the HITECH Act. Each of these Rules substantially altered how and when HIPAA could be enforced, as well as adapted HIPAA to the modern technological and data-driven landscape. For a more in-depth look at each of these Rules and how they have transformed HIPAA, head over to our blog post
What is HIPAA?
Each of the Rules and the HITECH Act that has modified HIPAA have resulted in the HIPAA Omnibus Rule that covered entities must maintain HIPAA compliance with today. The full text of the HIPAA Omnibus Rule can be found here. To provide some clarity, covered entities under HIPAA refers to health plans, health care clearinghouses, health care providers, and entities that process health care transactions electronically. This includes business associates of health care providers. In essence, if you interact with or process PHI or electronic PHI (ePHI), you are covered by HIPAA and must comply with its regulations. The widespread reliance on third-party providers for logistics and support services in the healthcare industry illustrates the broad scope and reach of HIPAA law. This also highlights the importance of gaining a greater understanding of HIPAA to determine if you are considered a covered entity or associate and whether you are HIPAA compliant with all HIPAA requirements.
The complaints process for HIPAA violations is an important structure that provides an avenue for whistleblowers and witnesses to report violations without fear of reprisal. If one wishes to file a HIPAA complaint, it is done through the U.S. Department of Health and Human Services Office of Civil Rights (OCR). OCR is the organization that receives HIPAA complaints, is responsible for investigating them, works with violators to remedy situations where violations are present, and imposes penalties on covered entities or individuals that violated HIPAA law. As such, OCR is responsible for the HIPAA complaints process as a whole and is the primary resource for individuals or organizations that are filing a HIPAA complaint.
Requirements for HIPAA Complaints
HIPAA complaints have three basic requirements that must be met for them to be investigated by the OCR. First, someone must file a complaint. HIPAA complaints can be filed in a number of ways, including by mail, fax, and e-mail, as well as through the OCR Complaints Portal. The hipaa complaint form can be found here. Second, complaints must be filed within 180 days in order to be investigated. If a complaint is filed outside of the 180 day period from the time of the violation, the person or organization filing the complaint must demonstrate good cause for why they are filing the complaint outside of that window. If the OCR determines there is a good cause, they can proceed with investigating the complaint and addressing any violations. Lastly, the complaint must specifically name the covered entity or business associate involved in the violation and a description of the violation. Complaints must be grounded in a tangible violation of the Privacy, Security, or Breach Notification Rules in the HIPAA Omnibus ruling.
The HIPAA Complaints Process
The Office of Civil Rights outlines the process through which complaints are received, investigated, and ultimately what remedies are sought for HIPAA violations. Once OCR receives a valid complaint of an act or omission that violates the HIPAA Privacy or HIPAA Security Rule, the OCR will then notify both the individual who filed the complaint and the covered entity or business associate named in the complaint in writing. This written notification is to let both parties know that a complaint investigation has been initiated. The OCR will then request information or documentation from both parties regarding the complaint. Here it is important to note that covered entities and associated businesses are required by law to comply with hipaa complaint investigations. During the course of the investigation, OCR can request specific documentation or information to further substantiate claims made in the complaint. Once enough information is gathered, the OCR will determine if the covered entity did violate the HIPAA Privacy Rule or Security Rule. If the OCR finds that the complaint was substantiated and a HIPAA violation did occur, then they can seek remediation in a number of forms.
Possible Outcomes of a Complaint
What happens if you violate HIPAA? Filing a hipaa complaint can lead to a number of possible outcomes, so gaining a better understanding of the most common end results of the HIPAA complaint process is important. The first possible outcome is that the complaint isn’t valid. This can be because no applicable law was violated, or the violation occurred prior to the implementation of the HIPAA Privacy Rule or Security Rule. Complaints can also be invalid if they are filed outside of the 180-day window set forth by the OCR. Only hipaa complaints that show good cause for filing outside of this 180-day window can proceed. During the investigation, the OCR may determine that the covered entity named in the violation complied with all relevant aspects of the HIPAA Privacy and Security Rules. This most often occurs when an individual believes that a violation occurred without fully understanding what is and isnt a violation.
If a violation has been found to occur, the OCR can proceed in a number of different ways. First, if the action in question violated a criminal provision of HIPAA, the case will be forwarded to the Department of Justice for criminal prosecution. If no criminal provision was violated, the OCR will attempt to remediate the violation. Remediation for HIPAA complaints most often takes the form of voluntarily finding HIPAA compliance solutions, corrective action, and may or may not include a resolution agreement. Covered entities found in violation of HIPAA may choose to voluntarily address the systems or processes that led to non-compliance. Achieving HIPAA compliance is not hard to do, and most organizations that are found in violation of HIPAA law will rapidly seek to identify areas of non-compliance and shore up any weaknesses in order to avoid further complaints and possible monetary penalties. OCR may outline and enforce corrective action against entities found in violation of HIPAA. Corrective action may require substantial changes to how ePHI is handled, transmitted, stored, and who it is accessed by. This can be costly in its own right for covered entities. In order to set strict requirements for covered entities and ensure compliance, OCR may require covered entities to adhere to a resolution agreement.
If a covered entity fails to comply with the remediation steps outlined by the OCR as a result of a complaint, the OCR may impose monetary penalties against the covered entity. Referred to as civil money penalties (CMP), these monetary penalties can be substantial. The OCR uses civil money penalties as a last resort to force compliance with HIPAA. For example, a case against Cignet in 2010 resulted in civil money penalties totaling $4.3 million dollars for a failure to comply with the informal remediation process. This highlights the importance of both maintaining compliance with HIPAA, as well as working closely with OCR during the informal resolution process to address any violations before a CMP is imposed.
Notes About the HIPAA Complaint Process
The first thing to note about the HIPAA complaints process is that not all complaints are investigated by the OCR. For HIPAA complaints, the OCR is specifically looking at whether the complaint is concerning a valid covered entity, and that the action or omission in question was in violation of the HIPAA Privacy Rule or Security Rule. The Privacy and Security Rules apply to covered entities, which is either a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically. Dentists, chiropractors, hospitals, and pharmacies are all examples of this last category. In regards to HIPAA complaints this is important because there are a number of entities that are not required to comply with the HIPAA Privacy and Security Rules, and thus would not fall under the purview of the OCRs HIPAA complaint process. Many law enforcement, schools, and municipal and state agencies are not required to comply with HIPAA Privacy and Security Rules. Additionally, employers are not required to comply with the Privacy and Security Rule. As such, to file a HIPAA complaint it is important to first understand whether the entity that committed the violation is considered a covered entity.
A second thing to note about the HIPAA complaint process is that, in general, it is resolved through informal resolutions. These include voluntary compliance, corrective action, and/or a resolution agreement. Many of the informal resolutions give the covered entity an opportunity to address the issue before CMPs are applied. In the event that a CMP is applied to a covered entity, the individual that filed the initial complaint is not awarded the money. Instead, any penalties collected are deposited in the U.S. Treasury. Because of this, there is no monetary incentive for individuals to file a HIPAA complaint.
Final Thoughts on HIPAA Complaints
HIPAA complaints fulfill a vital function in the application and enforcement of HIPAA. The OCR enforces HIPAA through either compliance reviews or the complaints process. Because of this, it is important to understand how complaints are filed, what the process for complaints is, and what the possible outcomes to a complaint are. Important takeaways about the HIPAA complaints process is that the individual filing the complaint must do so within 180 days of the violation, and must specifically name the entity involved in the alleged violation as well as detailed information about the violation. Individuals filing a complaint must also provide their name, which can give rise to concerns about retaliation. Embedded in the complaints process are protections against retaliation of any form against whistleblowers, which can provide some level of assurance for those wishing to file a HIPAA complaint. For a HIPAA complaint to be valid, it must involve a covered entity acting in violation of the HIPAA Privacy or Security Rules.
Once a complaint has been accepted by OCR, the covered entity named in the complaint must comply with all aspects of the investigation. This includes responding to requests for documentation or data from OCR investigators. If a violation has been found, the OCR will attempt to resolve the violation through an informal process. If the informal process fails to achieve the desired outcome, the OCR can impose civil money penalties on the covered entity. Speak with a specialist at RSI Security to find a HIPAA compliance solution that is right for you!