What do I do if I get a HIPAA Complaint?

In this lesson, we'll be covering what you should do if you get a HIPAA complaint, including steps you should take if you both get a complaint and suffer a data breach. At the end of the lesson, we'll stick with our recent looks at HIPAA violations with a Word about HIPAA violation penalty structure.

If You Receive a HIPAA Complaint

If you receive a compliant from a patient or a business about your handling of protected health information, you should remedy the situation using the following steps:

1. Make a note of the complaint in your incident log.
2. Provide a complaint form to the patient or business making the complaint to complete. The form is used to help explain the complaint in detail.
3. Your privacy officer should conduct a thorough formal investigation into the complaint to identify if any policies or procedures were not followed and if there was a potential data breach that could have impacted PHI.

If you Suffer a Data Breach

Let's say you take a complaint seriously and discover it was not only valid, but PHI was indeed breached. What do you do now?

If your privacy officer does identify that PHI has been breached, take the following steps:

1. Log the data breach into a data breach log.
2. Perform a risk assessment to help identify security gaps and vulnerabilities.
3. Notify all of the impacted individuals of the data breach.
4. Be mindful of time – report the data breach before the standard federal 60-day notification or state notification if it is more restrictive.
5. After a risk report has been created from the risk assessment, you must document your remediation plan and remediate the risks in a timely manner.

A Word About HIPAA Violation Penalty Structure

Each category of violation carries a separate HIPAA penalty. It is up to the Office for Civil Rights to determine a financial penalty within the appropriate range. They will consider a number of factors when determining penalties, such as the length of time a violation was allowed to persist, the number of people affected, and the nature of the data exposed.

An organization´s willingness to assist with an Office for Civil Rights' investigation is also taken into account. The general factors that can affect the level of financial penalty also include prior history, the organization's financial condition, and the level of harm caused by the violation.

You may recall in the last Word section of the last lesson, how there was a tier system when it comes to HIPAA's penalty structure. Well, there's also a tier system when it comes to assessing fines.

1. Tier 1: Minimum fine of $100 per violation up to $50,000.
2. Tier 2: Minimum fine of $1,000 per violation up to $50,000.
3. Tier 3: Minimum fine of $10,000 per violation up to $50,000.
4. Tier 4: Minimum fine of $50,000 per violation.

The above fines for HIPAA violations are those stipulated by the HITECH Act. It should be noted that these are adjusted annually to take inflation into account.

A data breach or security incident that results from any violation could see separate fines issued for different aspects of the data breach under multiple security and privacy standards. For instance, a fine of $50,000 could, in theory, be issued for any violation of HIPAA rules, however minor they turn out to be.

A fine can also be applied on a daily basis. For example, if a covered entity has been denying patients the right to obtain copies of their medical records, and had been doing so for a period of one year, the Office for Civil Rights may decide to apply a penalty per day that the covered entity has been in violation of the law.

Therefore, the penalty would be multiplied by 365, not by the number of patients that have been refused access to their medical records.