HIPAA, we have a problem

Rehab Regs, July 1, 2005

How to respond to a privacy complaint

You've been busy for months ensuring that your staff members and facility procedures adhere to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). But even the most diligent healthcare providers may face patient complaints.

A patient who lodges a complaint against your facility or a staff member feels his or her privacy was breached either unintentionally or deliberately, according to Tessa Chenaille, CHC, president and chief executive officer of Chenaille Compliance Consulting, LLC, in Medford, MA. Consider these examples:

  • Unintentional privacy violation-Two therapists are in an elevator discussing a patient, but the discussion is not critical to the treatment of the patient. The patient's parent or child is also in the elevator, overhears this information being shared, and files a complaint.

  • Deliberate privacy violation -A therapist sells patient information to a company that uses the information for profit.

Essentially, you will violate HIPAA privacy regulations if you use a patient's information for any purpose other than those for which he or she has given permission. Therapists who deliberately violate a patient's privacy face stiffer penalties than those who do so unintentionally.

HIPAA privacy regulations fall under the purview of the federal Office of Civil Rights (OCR) and require all healthcare entities to provide patients with a notice of privacy practices. This notice should include guidelines about what actions patients can take if they feel their privacy has been breached, Chenaille says. Patients have the option of either bringing the complaint to the facility's privacy officer or the OCR.

"You're obligated to tell your patients how to file a grievance," says Lynn Steffes, PT, president of Steffes & Associates, a consulting firm in New Berlin, WI.

If a patient chooses to make a complaint within your facility, he or she would report the alleged violation to a privacy officer-there should be one designated at every facility. The officer may be responsible solely for privacy-related issues or could have other duties in the office.

"Depending on the size [of a facility], the privacy officer could wear multiple hats," says Chenaille.

The privacy officer oversees any investigation into the complaint. He or she should enlist the help of staff members who may be able to shed light on the incident, but should only give staff the minimum amount of information necessary to determine whether the incident was actually a HIPAA privacy violation.

"The privacy officer should initiate a private investigation and will most likely need the assistance of someone in the rehab department as an investigator," says Chenaille. "[The officer may need to release] information to this investigator, but only enough to conduct a thorough investigation."

If the patient chooses to file his or her complaint with the OCR, the investigation is out of the facility's hands. Depending on the severity of the complaint, outside investigators may request documentation from the facility and visit to interview involved staff members.

If the agency's investigation determines a violation occurred, the facility should document efforts it has made or plans to make to remedy the situation.

"Corrective action could include policy and procedure changes, retraining, or disciplinary action," says Chenaille.

To be safe, create a policy to respond to and document HIPAA complaints in your compliance plan. Log complaints by simply entering them in an Excel spreadsheet, says Chenaille. This way, you can ensure a timely response and investigation to complaints as well as track any trends.

For example, if patients routinely complain that their files are left on desks where other patients or visitors can see them, it might be time to set up facilitywide training on proper procedures regarding HIPAA protocol.

If your facility is proactive, it will brace itself for potential privacy violation complaints from patients. However, beginning in April 2005, potential violations under HIPAA can also involve security issues.

This rule applies to the same groups as the privacy rule-all health plans, clearinghouses, and healthcare providers. The main difference is that the security rule applies only to confidential electronic patient health information (ePHI).

It requires healthcare entities that maintain or transmit ePHI to implement reasonable and appropriate administrative, technical, and physical safeguards for patient privacy.

Most Popular