In previous posts we’ve talked about different ways to make sure your case workers are HIPAA compliant, whether it’s through training, proper computer etiquette or what they do in the office. But even if you do all you can to keep your case workers HIPAA compliant, violations sometimes happen. If someone files a complaint, what do you need to do? Here are some answers.
The first thing you want to do when a client files a complaint is to thank them for bringing it to your attention, making sure they understand there will not be any repercussions for filing the complaint and begin immediately looking into the allegations. If there is a breach of protected health information (PHI), you want to discover it and correct it as quickly as possible. Depending on how culpable your agency is for the breach, penalties can be avoided or reduced if corrected within 30 days.
If the complaint went to the Office of Civil Rights (OCR), they will perform their own investigation. Although HIPAA compliance violations can result in fines, sanctions and even jail time, the OCR often resolves the matters by identifying the issues and helping put corrective practices in place to make sure the violations don’t happen again. Rather than imposing sanctions on those who have violated HIPAA Privacy Rules, they take an active role to reform the agency’s HIPAA compliance practices. It is also possible that either by your own investigation or the OCR’s, you discover that no violation occurred.
There are three exceptions to the PHI breach definition, which you can find at HHS.gov. But, if one of your case workers have violated HIPAA compliance, you will need to work with your human resources department to determine what sanctions and disciplinary actions need to be taken. These actions can range from oral warning all the way up to dismissal.
Make sure you have documented and recorded all your investigation efforts – from the initial client complaint through what disciplinary actions you have taken and what compliance reforms you have put in place. Then make sure your Privacy Officer or the person appointed to do such tasks notifies the client of your findings and resolution of their complaint.