Hushmail Blog

What happens when a HIPAA complaint is filed against you

Written by Hushmail | Jun 17, 2021 3:00:00 PM

Do you know what happens when a practitioner commits a HIPAA violation and is reported to the Office for Civil Rights (OCR)? Do you know what you would do if a client filed such a report against you?

As a healthcare practitioner, you’re aware of the importance of following HIPAA rules to protect your clients’ information and, hopefully, sign up for services like Hushmail to help you maintain your compliance. However, even if you’re doing your best to follow the rules, you could inadvertently make a mistake. 

In today’s post, we’re taking a look at HIPAA violations: how they occur, how they are reported, what happens during and after an investigation, and what you can do to prevent a complaint from being filed in the first place. 

What’s a HIPAA violation?

A HIPAA violation occurs when a covered entity fails to comply with any provision of the HIPAA Privacy, Security, or Breach Notification Rules. There are numerous ways you can commit a HIPAA violation. Here are some of the most common, as listed in this informative HIPAA Journal article: What is a HIPAA violation?

  • Impermissible disclosures of protected health information (PHI)
  • Unauthorized accessing of PHI
  • Improper disposal of PHI
  • Failure to manage risks to the confidentiality, integrity, and availability of PHI
  • Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI
  • Failure to enter into a HIPAA-compliant business associate agreement with vendors before giving access to PHI
  • Failure to provide patients with copies of their PHI on request

How is a HIPAA violation reported?

Even if you do your best to follow the rules, mistakes can be made, and misunderstandings happen. If a client thinks there has been a violation, they can file a complaint with the OCR by mail, fax, email or via the OCR Complaint Portal.

They will need to submit the name of the covered entity (which would be you) and any business associate involved, and describe the perceived violation. 

The report needs to be filed within 180 days of when the client believes the violation occurred. However, the OCR may extend the 180-day period if the complainant can show "good cause."

You can visit the OCR website to download the forms and for additional information about how someone can file a complaint. 

What happens after a complaint is filed?

After a complaint has been made to the OCR, the next step is an investigation. According to the US Department of Health and Human Services (HHS) explanation about How OCR enforces the HIPAA Privacy & Security Rules:

If OCR accepts a complaint for investigation, OCR will notify the person who filed the complaint and the covered entity named in it. Then the complainant and the covered entity are asked to present information about the incident or problem described in the complaint. OCR may request specific information from each to get an understanding of the facts. Covered entities are required by law to cooperate with complaint investigations.

After the investigation, OCR will issue a letter with the results of the investigation. If it’s found that you, the practitioner, did not comply with the HIPAA rules, then you must agree to 1) voluntarily comply with the rules, 2) take corrective action if necessary, and 3) agree to a resolution. According to the HHS:

A resolution agreement is a settlement agreement signed by HHS and a covered entity or business associate in which the covered entity or business associate agrees to perform certain obligations and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement may include the payment of a resolution amount. If HHS cannot reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, including a resolution agreement, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity.

What about penalties?

The CMPs can be significant depending on the category, or tier, of the violation.

  Description Minimum Fine per violation Maximum Fine per violation
1 Unknowing. You weren’t aware of the rule and couldn’t have realistically avoided the violation. $141 $71,162
2 Reasonable cause but not willful neglect. You should have been aware of the rule and able to avoid committing the violation but committed the violation due to reasonable cause, not “willful neglect”. $1,424 $71,162
3 Willful neglect. You ignored your responsibilities (“willful neglect”) but attempted to correct the violation within 30 days. $14,232 $71,162
4 Willful neglect and not timely corrected. You ignored your responsibilities and haven’t attempted to correct the violation within 30 days. $71,162 $2,134,831

 

What you can do to ensure your practice is compliant

As you can see, while the process of filing and investigating a complaint is fairly straightforward, there is plenty of room for interpretation. Even at the lowest tier, penalties can be significant, or waived entirely if it’s decided that you couldn’t reasonably have been expected to avoid the situation giving rise to the violation. However, the biggest cost may be in being subject to OCR monitoring for the period agreed to in the settlement agreement.  

Therefore, it’s best to be proactive when it comes to complying with HIPAA rules. Keeping compliance at the forefront of your practice management ensures that your clients’ information is protected and helps you avoid penalties. 

Here are six basic tips that will help you check the compliance boxes and respond effectively if a complaint is ever filed against you. 

  • Overall, protect your clients’ PHI 
  • Get signed Business Associate Agreements from all 3rd-parties that might handle your clients’ PHI
  • Use encrypted communication services such as Hushmail email and web forms
  • Conduct a risk assessment to identify places where your clients’ PHI might be vulnerable and act on the results of the risk assessment
  • Make it easy for your clients to request their health information
  • Keep records of what you’re doing to meet HIPAA standards
  • On becoming aware of a compliance issue, deal with it in a timely manner and don’t let it become the subject of a complaint

You can read more about what you can do to support your HIPAA compliance in our blog post HIPAA and your private practice: the bare minimum you need to know.

Need a HIPAA-compliant email and web form service?

We’re taking a look at HIPAA violations: how they occur, how they are reported, what happens during and after an investigation, and what you can do to prevent a complaint from being filed in the first place. It’s best to be proactive when it comes to complying with HIPAA rules. Keeping compliance at the forefront of your practice management ensures that your clients’ information is protected and helps you avoid penalties.

Additional resources: