Handling HIPAA violation complaints
by Kelly Grahovac

The Health Insurance Portability and Accountability Act (HIPAA), was established to protect individuals’ medical records and protected health information (PHI) through its privacy and security rules. Health care providers that receive reimbursement for claims from federal programs are considered covered entities and are responsible for compliance with HIPAA regulations. In doing so, covered entities typically have an established HIPAA compliance program.

The Office of Civil Rights (OCR) is the federal agency responsible for enforcing HIPAA privacy and security rules. The OCR conducts routine audits of covered entities and their business associates to ensure compliance with HIPAA, although most of its investigative efforts are the result of reported offenses and complaints.

In most instances, OCR investigations result in technical assistance being given to the covered entity or business associate, including education and information on the appropriate actions to take to protect patient PHI. However, there are some instances that result in corrective actions, such as the OCR entering into settlement agreements with the covered entity or business associate under review.

The OCR reports a steady annual increase of complaints about violations, from 21,404 received in 2016 up to 28,261 complaints entered in 2019. Covered entities can fall victim to an OCR complaint from both internal and external threats. Patients—or their caregivers—are most often the source of a complaint to the OCR if they believe their health information privacy rights have been violated. Invalid recipients of PHI could also report your organization or your business partners to the OCR if they believe that a violation of the Privacy, Security or Breach Notification Rules has occurred. Internally, current and former employees could report your organization to the OCR if they believe that a violation of the rules has occurred. An investigation may also be a result of a complaint or referral from a government entity.

It is important to note that covered entities are required by law to cooperate with investigations. A complaint must allege an activity that, if proven true, would violate the Privacy or Security Rule.

HIPAA Privacy & Security Rule Complaint Process

If the OCR accepts a complaint for investigation, the OCR will notify the person who filed the complaint and the covered entity named in it. Then the complainant and the covered entity are asked to present information about the incident or problem described in the complaint. The OCR may request specific information from each party to get an understanding of the facts. The OCR will review the evidence that it gathers to make a determination on whether or not the covered entity violated the requirements of the rules.

If the evidence indicates that the covered entity was not in compliance, the OCR will attempt to resolve the case with the covered entity by obtaining voluntary compliance, corrective actions, and/or a resolution agreement. Most Privacy and Security Rule investigations are concluded to the satisfaction of the OCR through these types of resolutions. If, however, the covered entity does not take action to resolve the matter in a satisfactory manner, the OCR may decide to impose civil money penalties.

Inside an OCR Investigation

As a health care consultancy, our company has worked with several clients undergoing OCR desk audits and investigations, all with positive outcomes. And while each investigation is different, there are commonalties. As detailed earlier, the HIPAA Privacy and Security Rules complaint process follows a standard pathway that begins with a complaint that is reviewed by the OCR for validity before an investigation is initiated. If the OCR determines an investigation is warranted, the covered entity will be notified in writing of the data request. The notification will include the complainant’s name and the allegations brought forth in the complaint. The OCR notification will also include a list of references to the applicable HIPAA Administrative Simplification Regulation (45 CFR §160, §162, and §164) that the covered entity may have violated.

It is the responsibility of the covered entity to respond to the data request within 30 days of receipt with all items requested. Typically, the length of the data request correlates with the number of alleged violations; it is not uncommon for a data request to include 20 or more items to be addressed, as many of the privacy and security requirements are overlapping.

A covered entity will be required to produce its HIPAA policies and procedures corresponding to the rule that was allegedly violated. This includes producing those that were in effect at the time of the incident and those currently in effect, including all revisions. Additional forms of documentation are also requested as evidence that privacy and security rules are followed. This could include employee training documents and logs, security and risk assessments, security agreements with business associates and other third-party vendors, and even internal memos and emails. Without a doubt, covered entities that had a comprehensive HIPAA compliance program in place were able to produce the documentation requested by the OCR much more easily than those that did not.

HIPAA Compliance Basics

All HIPAA compliance programs require four main components to be successful: a security and risk assessment, policies and procedures, employee training and business associate management.

Creating and maintaining a HIPAA compliance program does not have to be a daunting task. An organization can use internal and external resources to get started. Beginning the process with a risk analysis and management plan can make the task of drafting and implementing policies and procedures easier and pave the way for employee training.

Maintaining HIPAA compliance not only provides an organization’s employees, business partners and patients with the assurance that it values the importance of protecting patient health information, but also gives it the ability to more easily conduct business functions. In the event your organization finds itself under the microscope of an OCR investigation, a
fully implemented HIPAA compliance program will make the response time faster and easier—and is more likely to yield positive results.

Kelly Grahovac serves as the general manager for The van Halem Group, where she focuses on audits, appeals, education and training across multiple lines of business and various specialties. Grahovac uses her 15 years’ experience in Medicare regulations to assist providers as they navigate the ever-changing health care payer landscape. Vist vanhalemgroup.com.