In previous posts we’ve talked about different ways to make sure your case workers are HIPAA compliant, whether it’s through training, proper computer etiquette or what they do in the office. But even if you do all you can to keep your case workers HIPAA compliant, violations sometimes happen. If someone files a complaint, what do you need to do? Here are some answers.
Take Swift Action
The first thing you want to do when a client files a complaint is to thank them for bringing it to your attention, making sure they understand there will not be any repercussions for filing the complaint and begin immediately looking into the allegations. If there is a breach of protected health information (PHI), you want to discover it and correct it as quickly as possible. Depending on how culpable your agency is for the breach, penalties can be avoided or reduced if corrected within 30 days.
Investigate Thoroughly
You should conduct an investigation of your own quickly to determine if in fact a breach of PHI has occurred. A review of your internal HIPAA and PHI policies and procedures is a good place to start. Did the incident violate your stated policies? Then talk to everyone involved. Who accessed, used or received the PHI? What is the nature and extent of the PHI involved? Get statements from all parties.
If the complaint went to the Office of Civil Rights (OCR), they will perform their own investigation. Although HIPAA compliance violations can result in fines, sanctions and even jail time, the OCR often resolves the matters by identifying the issues and helping put corrective practices in place to make sure the violations don’t happen again. Rather than imposing sanctions on those who have violated HIPAA Privacy Rules, they take an active role to reform the agency’s HIPAA compliance practices. It is also possible that either by your own investigation or the OCR’s, you discover that no violation occurred.
When a Breach Does Occur
There are three exceptions to the PHI breach definition, which you can find at HHS.gov. But, if one of your case workers have violated HIPAA compliance, you will need to work with your human resources department to determine what sanctions and disciplinary actions need to be taken. These actions can range from oral warning all the way up to dismissal.
Make sure you have documented and recorded all your investigation efforts – from the initial client complaint through what disciplinary actions you have taken and what compliance reforms you have put in place. Then make sure your Privacy Officer or the person appointed to do such tasks notifies the client of your findings and resolution of their complaint.
Being able to avoid HIPAA violations and complaints is obviously the best course of action. But if one does occur, fast, decisive action can make all the difference between heavy penalties and a fast track back to HIPAA compliant.