It's important for covered entities to familiarize themselves with the way in which Health Insurance Portability and Accountability Act (HIPAA) complaints are handled. Covered entities big and small are often the target of complaints. Some of these complaints may be valid, whereas others are false/fictitious. Regardless, understanding the complaint process and how it is handled will give you the upper hand in maintaining a compliant healthcare practice.
How Common are HIPAA Complaints?
This is a question that many covered entities ask, especially those who are unfamiliar with the nuances of HIPAA. So, just how common are HIPAA complaints?
According to data presented by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), they received more than 91,000 HIPAA-related complaints in the decade spanning from 2003 to 2013. Of those 91,000 complaints, the OCR pushed enforcement actions on 22,000 cases. And of those 22,000 complaint cases, 521 led to criminal charges.
The HIPAA Complaint Process
When a HIPAA complaint is made on a covered entity, the OCR will first review the complaint to determine whether or not it's valid. Just because a patient claims that a doctor or physician wrongfully disclosed their Protected Health Information (PHI) doesn't necessarily mean a HIPAA violation occurred. This is why the OCR must first review each and every complaint that it receives.
Now it's important to note that complaints involving HIPAA violations that occurred before April 14, 2003 are NOT subject to the HIPAA Privacy Rule. If a complaint involves a violation that occurred before this period, it is discarded and not further action is taken. Furthermore, HIPAA complaints must be filed within 180 days of the violation, or an extension must have been given.
After reviewing the complaint, the OCR will launch an investigation if there was a possible Privacy or Security Rule violation. The OCR will then take one of three different actions: it will deem the covered entity as being complaint (no violation found); it will obtain voluntary compliance and corrective measures; or it will issue a formal finding of the violation.
In the rare – but not unheard of – event that a HIPAA violation involves criminal activity, the OCR will hand the case over to the Department of Justice (DOJ). Typically the OCR handles most forms of HIPAA enforcement, except in criminal cases, in which case the DOJ takes over.