Even when you do the best you can to comply with HIPAA regulations, violations and breaches may occur. Clients or patients may report what they think are violations, even when they’re not.
What happens after a HIPAA complaint is filed? What rights do you have as a covered entity or business associate? And what is the worst-case scenario?
Common Violation Examples – What Happens After a HIPAA Complaint is Filed?
The Department of Health and Human Services Office for Civil Rights (HHS OCR) has primary responsibility for investigating alleged violations of HIPAA rules and regulations and conducting audits of covered entities (healthcare providers, insurance companies, and healthcare data clearinghouses) and business associates (vendors who take possession of PHI while performing work on behalf of a covered entity or another business associate).
Covered entities and business associates must report all breaches to the HHS Secretary. The HIPAA Breach Notification Rule specifies timelines and other reporting requirements based on the size of the breach.
HHS OCR’s investigatory purpose is to look for violations that caused or contributed to the breach of PHI. There has never been a fine or penalty assessed for a breach of a patient’s protected health information (PHI).
From 2017 to 2020, the top five issues found during investigations that led to corrective action fell into the following categories:
- Impermissible Uses & Disclosures
- Safeguards
- Administrative Safeguards
- Access
- Technical Safeguards
Examples of violations include: stolen/lost laptops and smartphones with unencrypted PHI; sending PHI to the wrong patient/contact; malware incidents caused by employees falling for phishing scams or ransomware attacks; and employees reviewing PHI of friends or family members without an authorized purpose.
Violation Reporting – What Happens After a HIPAA Complaint is Filed?
If a mistake occurs or a client thinks there has been a violation, they can file a complaint with HHS OCR directly using the OCR Complaint Portal, or through email, phone, or fax.
Forms are available for download on the OCR website, along with additional guidance on filing a complaint. The client has 180 days from the time they think the violation occurred to file a complaint with OCR, but that deadline can be extended if OCR deems that the complainant has shown “good cause” to justify doing so.
Investigation and Penalties – What Happens After a HIPAA Complaint is Filed?
OCR does not investigate every complaint filed. Some complaints are filed against organizations that do not have to comply with HIPAA rules and regulations. If the incident that prompted the complaint occurred more than six years previous, it will not be investigated. The reason for the complaint must be an activity that, if proven true, would violate HIPAA Rules.
According to the HHS website:
If OCR accepts a complaint for investigation, OCR will notify the person who filed the complaint and the covered entity named in it. Then the complainant and the covered entity are asked to present information about the incident or problem described in the complaint. OCR may request specific information from each to get an understanding of the facts. Covered entities are required by law to cooperate with complaint investigations.
If the investigation finds no violation, the action is dismissed. If a violation is found, OCR will attempt to resolve the matter through a combination of voluntary compliance, corrective action, and/or a resolution agreement.
These often include guidance from OCR intended to prevent the violation from recurring and may also have monetary penalties and requirements for OCR monitoring for one to three years.
If an organization does not agree to satisfy the matter in a way that is satisfactory to OCR, it will almost certainly face stiff civil monetary penalties. This decision can be appealed to an HHS administrative law judge. Still, experience has shown that the chances of penalties being overturned are minimal, while the cost of appealing the charges is crippling for most small-to-mid-sized businesses.
Penalties vary based upon the severity of the violation, the level of awareness the organization had (or should have had) regarding it, and whether the organization acted with willful neglect. Fines range from as low as $100 per violation up to $50,000 per violation.
Getting Prepared – What Happens After a HIPAA Complaint is Filed?
You can’t stop individuals from filing HIPAA complaints against your organization, but you can make being fully HIPAA compliant part of your operating strategy. Let Compliancy Group guide you through the HIPAA compliance process in a way that reduces stress, simplifies the process, and empowers you to confidently know you are fully compliant.
We combine our industry-best compliance automation software with personalized assistance from a dedicated compliance coach, so you get compliant and stay compliant in as little as one-tenth of the time of traditional methods.
If complaints, audits, or breaches happen, we’re there to help you respond. After more than 17 years in business, we’ve never had a client fail an audit or be fined.