A patient voices a concern of privacy violation because the provider mistakenly emailed her medical treatment information to unrecognized email addresses. Your Notice of Privacy Practices correctly informs the patient of her rights under HIPAA to file a privacy complaint with your organization’s Privacy Officer and the Office of Civil Rights (OCR). As the provider, how should you respond? What is your protocol for handling this patient complaint? Follow these seven steps outlined below to ensure you cover all your bases.
Step 1: Timely Response to Patient Complaints
Treat all patient complaints of privacy seriously by taking prompt action. If there is a breach of protected health information (PHI) then the clock is ticking. Depending on the level of culpability, penalties can be avoided or reduced if the breach is corrected within 30 days. If the provider is required to report the breach, it only has 60 days from discovery to report under the Breach Notification Rule (discussed below). Therefore, time is of the essence when handling complaints of this nature.
In taking prompt action, the patient should be asked to reduce their complaint to writing by filing out a complaint form. A sample patient complaint form is provided below. Be careful to avoid any action that could be construed as retaliation against the patient for filing the complaint. Once the patient submits a completed complaint form, the HIPAA privacy officer, or other designated person(s), must take over to investigate and determine if a HIPAA breach has occurred.
Step 2: Conduct an Adequate Investigation
Is there a violation of the HIPAA Privacy or Security Rule? If so, you may be dealing with a HIPAA breach, which is defined as an impermissible use or disclosure of PHI that compromises security and/or privacy of PHI. Therefore, fully investigate the complaint by engaging in fact finding and root cause analysis to understand the depth of the incident and to determine if you are dealing with a breach situation. Review internal policies and procedures to determine if there was a violation; identify any persons who accessed, used or received the PHI, including interviewing and obtaining statements from staff that were involved in the incident; and reviewing the nature and extent of the PHI involved. If your investigation does not substantiate a HIPAA violation then skip to step 5, otherwise, continue to step 3.
Step 3: Correct and Mitigate Harmful Effects
If the investigation substantiates a breach has occurred, then HIPAA requires you to mitigate the harmful effects of the breach. This is a critical step since it factors into the analysis that determines whether the breach must be reported to individuals, media and/or HHS. In addition, and as mentioned above, penalties may be avoided or reduced if the breach is corrected within 30 days.
Start by correcting the breach if possible—stop any further disclosure or uses of unauthorized PHI. If the damage is already done, take measures to mitigate the breach. By completing an investigation, you should understand what caused the breach and determine ways of preventing similar breaches in the future. Mitigation efforts may include updating policies and procedures, providing refresher compliance training for staff, and/or implementing new safeguards to prevent noncompliance.
Step 4: Determine if there is a Reportable Breach
If the breach at issue involves the use or disclosure of secured PHI then the breach does not have to be reported. But if the disclosure or use involves unsecured PHI that is not properly rendered unusable, unreadable, or indecipherable, then a breach is presumed under the Breach Notification Rule. And further analysis is necessary to determine if an exception applies or if there is a low probability that the PHI has been compromised. Your initial investigation will assist you with these efforts.
First, determine if the breach fits within one of the three exceptions of the Breach Notification Rule:
- The unintentional access, use or acquisition of PHI by a workforce member or person acting under the authority of the provider if done in good faith and within the scope of authority and does not result in further use or disclosure that violates HIPAA.
- An inadvertent disclosure of PHI by an authorized person to another authorized person as long as the PHI is not further used or disclosed.
- Provider has a good faith belief that the unauthorized person would not likely retain the PHI that was disclosed.
If an exception does not apply, conduct a risk assessment that considers the following four factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
If the assessment indicates more than a low probability of PHI compromise, then the breach must be reported. Breaches affecting less than 500 individuals require notices to affected individuals within 60 days following the discovery of a breach and notice to Health and Human Services (HHS) within 60 days of the end of the calendar year. For bigger sized breaches, affecting 500 or more individuals, notices to affected individuals, HHS and major media outlets must be sent within 60 days following the discovery of the breach. In addition to HIPAA, state breach notifications laws must also be followed
Step 5: Involve HR to Determine Disciplinary Measures
HIPAA requires covered entities to apply appropriate sanctions against workforce members who violate HIPAA. Work with human resources to identify the appropriate disciplinary measures to take, following human resources policies and any progressive disciplinary measures to be consistent with an employee’s past disciplinary history and to ensure consistency for similar violations. Disciplinary action can range from an oral warning, written warning, suspension and up to termination.
Step 6: Get your Documents in Order
Document and record all your investigative efforts- this includes the patient complaint, the internal investigation and determination, documents reviewed and witness statements obtained, actions taken to mitigate the breach, copies of breach notices or rational for not reporting, and any disciplinary actions taken.
Step 7: Follow up with the Patient
The Privacy Officer or appointed designee should notify the patient of the findings and resolution of the complaint.
As a final note, take this opportunity to improve your compliance program so that it promotes prevention, detection and resolution of unlawful conduct. Click here for a sample HIPAA Privacy Complaint Form.