You may not realize how easy it is for someone to submit a complaint about your organization. However, if you are not prepared, what happens after that submission is not something you will soon forget!
This is why HIPAA compliance must be a culture and not just a piece of paper. While someone WILL submit a complaint against you at some point, if you have a culture of compliance in place, there should be little to no effect on your business. If you just run through a simplified checklist once a year, however, and do not enforce the policies and procedures, you will be putting your patients – and your organization – at serious risk.
First, who can submit a HIPAA complaint to the OCR?
This is the scary part – anyone who believes a covered entity is not complying with HIPAA in any way can submit a complaint! The complaint can be submitted directly to the OCR or to the Compliance Officer at the covered entity.
Next, a high level overview of what happens next…
I. Review
During this step the OCR will review the complaint. They will decide, based on the criteria listed below, if they can or will take action:
- Did the activity occur after HIPAA’s effective dates: April 14, 2003 for violations of the Privacy Rule and
April 20, 2005 for violations of the Security Rule? - Is the healthcare organization a Covered Entity that is required to comply with HIPAA’s Privacy Rule and Security Rule?
- If the complaint is accurate, would the alleged activity be a violation of HIPAA’s Privacy or Security Rules?
- Was the complaint filed within 180 days of the date the complainant knew (or should have known) of the violation? The OCR has discretion to waive this requirement for good cause.
During this review, if the complaint includes a possible criminal violation, the OCR can report the complaint to the U.S. Department of Justice (DOJ) for review. See the OCR website for more detail about this step in the process.
II. Investigation
During the Investigation step, the OCR will notify the complainant if their complaint has been accepted. The reported organization will also be notified. The OCR will contact both the complainant and the reported organization with follow-up questions about the incident. They will also work to gather evidence about the reported incident and ask for a copy of the organization’s policies and procedures, required risk assessments, and other related documents.
III. Resolution
After the OCR completes the investigation, they will review the gathered information and make a decision on how to move forward. They may attempt to resolve the case in several ways which may include a combination of the following:
- Voluntary Compliance
- Corrective Action Requirements
- Resolution Agreement
- Civil Monetary Penalties
Entities who may be facing Civil Monetary Penalties may have additional rights, such as the right to a hearing before an administrative law judge to determine whether the penalties are supported by the evidence.
It’s not over yet! Once you go through this process, you will be audited by the OCR.
When the audit happens, the OCR can and will likely find other non-compliance issues. This will add to the penalty and can cost your company 100’s of thousands of dollars or well into the million dollar range.
The question is not IF, but WHEN someone submits a complaint. There are many reasons a patient or family member might submit a complaint. Once that complaint has been submitted, the OCR will have their eye on your organization.
If you need assistance establishing a culture of compliance please contact us at compliance@thirdrock.com
Protect Your Patients. Protect Your Practice. Protect Yourself.™