What happens when a HIPAA complaint is filed against you

Published on June 17, 2021

HIPAA violation

Do you know what happens when a practitioner commits a HIPAA violation and is reported to the Office for Civil Rights (OCR)? Do you know what you would do if a client filed such a report against you?

As a healthcare practitioner, you’re aware of the importance of following HIPAA rules to protect your clients’ information and, hopefully, sign up for services like Hushmail to help you maintain your compliance. However, even if you’re doing your best to follow the rules, you could inadvertently make a mistake. 

In today’s post, we’re taking a look at HIPAA violations: how they occur, how they are reported, what happens during and after an investigation, and what you can do to prevent a complaint from being filed in the first place. 

What’s a HIPAA violation?

A HIPAA violation occurs when a covered entity fails to comply with any provision of the HIPAA Privacy, Security, or Breach Notification Rules. There are numerous ways you can commit a HIPAA violation. Here are some of the most common, as listed in this informative HIPAA Journal article: What is a HIPAA violation?

  • Impermissible disclosures of protected health information (PHI)
  • Unauthorized accessing of PHI
  • Improper disposal of PHI
  • Failure to manage risks to the confidentiality, integrity, and availability of PHI
  • Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI
  • Failure to enter into a HIPAA-compliant business associate agreement with vendors before giving access to PHI
  • Failure to provide patients with copies of their PHI on request

How is a HIPAA violation reported?

Even if you do your best to follow the rules, mistakes can be made, and misunderstandings happen. If a client thinks there has been a violation, they can file a complaint with the OCR by mail, fax, email or via the OCR Complaint Portal.

They will need to submit the name of the covered entity (which would be you) and any business associate involved, and describe the perceived violation. 

The report needs to be filed within 180 days of when the client believes the violation occurred. However, the OCR may extend the 180-day period if the complainant can show "good cause."

You can visit the OCR website to download the forms and for additional information about how someone can file a complaint. 

What happens after a complaint is filed?

After a complaint has been made to the OCR, the next step is an investigation. According to the US Department of Health and Human Services (HHS) explanation about How OCR enforces the HIPAA Privacy & Security Rules:

If OCR accepts a complaint for investigation, OCR will notify the person who filed the complaint and the covered entity named in it. Then the complainant and the covered entity are asked to present information about the incident or problem described in the complaint. OCR may request specific information from each to get an understanding of the facts. Covered entities are required by law to cooperate with complaint investigations.

After the investigation, OCR will issue a letter with the results of the investigation. If it’s found that you, the practitioner, did not comply with the HIPAA rules, then you must agree to 1) voluntarily comply with the rules, 2) take corrective action if necessary, and 3) agree to a resolution. According to the HHS:

A resolution agreement is a settlement agreement signed by HHS and a covered entity or business associate in which the covered entity or business associate agrees to perform certain obligations and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement may include the payment of a resolution amount. If HHS cannot reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, including a resolution agreement, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity.

What about penalties?

The CMPs can be significant depending on the category, or tier, of the violation.

Tier

Description

Fine

1

The covered entity was unaware of and could not have realistically avoided the violation even if a reasonable amount of care had been taken to abide by HIPAA Rules.

Minimum fine of $100 per violation up to $50,000.

OCR has the discretion to waive a financial penalty for cases where the practitioner could not have been expected to avoid a data breach.

2

The covered entity should have been aware of the rule and able to avoid committing the violation but committed the violation due to reasonable cause, not “willful neglect.”

Minimum fine of $1,000 per violation up to $50,000.

3

The covered entity committed the violation due to willful neglect but has attempted to correct the violation in a timely manner.

Minimum fine of $10,000 per violation up to $50,000.

4

The covered entity committed the violation due to willful neglect and did not attempt to correct the violation.

Minimum fine of $50,000 per violation.

 

What you can do to ensure your practice is compliant

As you can see, while the process of filing and investigating a complaint is fairly straightforward, there is plenty of room for interpretation. Even at the lowest tier, penalties can be significant, or waived entirely if it’s decided that you couldn’t reasonably have been expected to avoid the situation giving rise to the violation. However, the biggest cost may be in being subject to OCR monitoring for the period agreed to in the settlement agreement.  

Therefore, it’s best to be proactive when it comes to complying with HIPAA rules. Keeping compliance at the forefront of your practice management ensures that your clients’ information is protected and helps you avoid penalties. 

Here are six basic tips that will help you check the compliance boxes and respond effectively if a complaint is ever filed against you. 

  • Overall, protect your clients’ PHI 
  • Get signed Business Associate Agreements from all 3rd-parties that might handle your clients’ PHI
  • Use encrypted communication services such as Hushmail email and web forms
  • Conduct a risk assessment to identify places where your clients’ PHI might be vulnerable and act on the results of the risk assessment
  • Make it easy for your clients to request their health information
  • Keep records of what you’re doing to meet HIPAA standards
  • On becoming aware of a compliance issue, deal with it in a timely manner and don’t let it become the subject of a complaint

You can read more about what you can do to support your HIPAA compliance in our blog post HIPAA and your private practice: the bare minimum you need to know.

Need a HIPAA-compliant email and web form service?

Sign up for Hushmail for Healthcare

We’re taking a look at HIPAA violations: how they occur, how they are reported, what happens during and after an investigation, and what you can do to prevent a complaint from being filed in the first place. It’s best to be proactive when it comes to complying with HIPAA rules. Keeping compliance at the forefront of your practice management ensures that your clients’ information is protected and helps you avoid penalties.

Additional resources:

Subscribe to our newsletter

...and we’ll send 6 tips to make sure your emails are truly HIPAA compliant straight to your inbox.