Anyone can file a complaint if they feel their rights under the HIPAA Privacy, Security, or Breach Rules have been violated. They can file a complaint with the covered entity or business associate involved, or with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (the OCR). The HHS.gov website has a full page dedicated to filing a complaint and is one of the first listings to appear if someone performs an internet search for “filing a HIPAA complaint”.
Appropriately handling the patient’s complaint by taking it seriously, investigating, and responding may help decrease the risk of the OCR launching an investigation into your pharmacy. Additionally, if an investigation does occur, following the steps listed below can help ensure that your pharmacy would have all the required information documented to prove you handled the situation pursuant to the HIPAA Rules.
Steps to follow if a patient believes their HIPAA rights have been violated:
- Have the patient fill out a HIPAA Complaint Form
- PAAS National® members with the Fraud, Waste, and Abuse (FWA) and HIPAA Compliance Program can use the HIPAA Patient Complaint form in Appendix B of their Policy & Procedure Manual (P&P Manual)
- The pharmacy’s HIPAA Privacy Officer should review the complaint form to determine if a violation or breach occurred
- FWA/HIPAA Compliance members should review section 10.9 of their P&P Manual regarding complaints
- The Privacy Officer should document the relevant facts of their investigation as well as efforts to mitigate harm to the patient, sanctions that have been applied, or any policies or procedures that need to be revised or updated
- Staff must be trained on all revised policies and procedures, and proof of training maintained
- If a breach occurred, notifications must be sent out to the patient via First class letter, the Secretary of HHS, and, possibly, the media
- Section 10.14 of the FWA/HIPAA Compliance Program P&P Manual discusses breach notifications in further detail, including: required notifications, content, timeline, and other nuances of each notification; PAAS analysts are also available to discuss these notifications with FWA/HIPAA Members if further clarification or guidance is needed
If HIPAA Rule violations are found during an OCR investigation, the pharmacy can be forced to pay civil money penalties and can even be held accountable for an employee’s failure to adhere to company HIPAA policies and procedures. Additionally, individuals accessing or utilizing protected health information inappropriately can be charged civil money penalties or even face criminal charges (and jail time!) for violating the HIPAA Rules.
- The OCR takes HIPAA complaints seriously and can investigate your pharmacy to ensure you are compliant with all HIPAA Rules; be sure you have appropriately documented your response to all HIPAA complaints and maintain all documents related to HIPAA for a minimum of six years
- Routine HIPAA Compliance Audits can also be carried out by the OCR without a prior patient complaint – make sure you have appropriate policies and procedures in place to be fully adherent to all HIPAA Rules
- All staff with access to protected health information should be knowledgeable about HIPAA Rules, your pharmacy’s HIPAA policies and procedures, and sanctions for violating the Rules
- HIPAA training tailored specifically to independent pharmacies, as well as personalized assistance from a member of the PAAS analyst team, is included as part of a PAAS FWA/HIPAA Compliance Program membership