What happens after a HIPAA complaint is filed can vary according to who it is filed with, whether or not the complaint is justified, and the nature of the complaint.
When you register with a healthcare provider or become a member of a group health plan, you are given a Notice of Privacy Practices. The Notice of Privacy Practices explains how the healthcare provider or health plan can use or disclose your health information and also what rights you have to restrict specific uses and disclosures and request a copy of any health information held about you.
The Notice of Privacy Practices should also provide details of who you can complain to if you think a healthcare provider or health plan has used or disclosed your health information impermissibly, or if your rights have been violated. Usually, the contact details are those of the organization´s Privacy Office and the Department of Health & Human Services´ Office for Civil Rights.
It is also possible to file a complaint with your State Attorney General. However, the majority of states require that you complain to the organization before filing a complaint with the State Attorney General. For this reason, it is important to keep copies of any correspondence between you and the organization, and records of who you spoke with and when if complaining by phone.
What Happens after a HIPAA Complaint is Filed with an Organization?
There is no HIPAA-mandated process for what happens after a HIPAA complaint is filed with a healthcare provider or health plan, so the process is likely to vary from organization to organization. However, the Privacy Rule states that all complaints have to be documented, so the first thing that will happen is that you will receive an acknowledgement of your complaint.
Healthcare providers and health plans are aware that if they do not respond to your complaint satisfactorily and in a timely manner, you have the right to escalate the complaint to HHS´ Office for Civil Rights or your State Attorney General. Therefore, as regulatory investigations can be disruptive and attract indirect costs, your complaint will be reviewed as a matter of priority.
If the review identifies a potential HIPAA violation, it will be investigated further. An investigation can result in several outcomes.
- If no violation is identified, you should receive a communication explaining why.
- If a minor violation is identified, the organization will likely take steps to rectify it.
- If a more serious violation is identified, the organization may escalate your complaint to HHS´ Office for Civil Rights for technical assistance or to report a data breach.
If you are dissatisfied with the response from your healthcare provider or health plan – or you fail to hear from them in a timely manner – you can escalate the complaint to HHS´ Office for Civil Rights or your State Attorney General. Unlike complaining to a State Attorney General, HHS´ Office for Civil Rights does not require you to have complained to the organization before complaining to them.
What Happens after a HIPAA Complaint is Filed with HHS´ Office for Civil Rights?
When a complaint is filed with HHS´ Office for Civil Rights, the complaint is reviewed to establish the agency has the authority to investigate, the complaint is made within 180 days of the alleged violation, and that the complaint relates to a violation of the Privacy, Security, or Breach Notification Rules. Around two-thirds of complaints are rejected at the review stage because the complaint is made against an organization not subject to HIPAA, is too late, or no violation has occurred.
If a complaint passes the review stage, HHS´ Office for Civil Rights will contact the healthcare provider or health plan to attempt an informal resolution to the complaint – for example, by providing technical assistance. If a more serious violation is identified, HHS´ Office for Civil Rights will conduct a full-scale investigation into the organization´s compliance, with the possible outcomes being technical assistance, a more formal corrective action plan, or a civil money penalty.
The process is much the same when a complaint is filed with a State Attorney General, and both the HHS´ Office for Civil Rights and State Attorneys General will inform a complainant of the outcome of their complaint once it is resolved. The only exception to this process is when a possible criminal violation of HIPAA is identified by either HHS´ Office for Civil Rights – in which case the complaint is escalated to the Department of Justice for investigation.