Have you appointed a HIPAA complaint official yet? Section 164.530(a)(1)(ii) of the Department of Health and Human Services (“DHHS”) privacy regulations requires covered entities to have a complaint official to receive and respond to patient/client complaints about violations of HIPAA and their rights thereunder. Many covered entities make the privacy officer also the complaint official, and there is nothing wrong in doing so. But others prefer to keep the privacy officer above the fray, so to speak, and able to act on complaints without having initially to receive the complaints, which may start out as verbal complaints, and then act on them when they are forwarded up to him or her. This approach may make it easier for the complaint official to deal with the irate patient by not having to weigh in on the complaint at the start, but rather being able to say that he or she will forward the complaint to the proper official to handle it.
Even if you use the privacy officer as the HIPAA complaint official, you could refine that officer’s job description by adding some of the language in the new sample complaint official job description just now posted on our Premium Member section of the Veterans Press website. And if you appoint another individual, such as an ombudsman or another person in your organization, to receive HIPAA complaints, you could use this job description, in whole or in part, for that job description.
As I wrote in my book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know, 2nd ed. 2014, you should never discourage an internal complaint. Often, you can resolve the matter by demonstrating that the matter is not a HIPAA violation or by informing the complainant of what you are doing to remediate the situation and to make sure that it does not happen again. This response may prevent a complaint to DHHS which, if DHHS investigates the complaint, is a hassle, even if the incident wasn’t a breach. You cannot bill for time spent responding to complaints. And if trying to resolve an internal complaint doesn’t prevent a complaint to DHHS, it at least gives you an advance warning that a complaint may be coming so that, for example, you can get your ducks in order—conduct a good investigation while the individuals involved still remember what happened rather than trying to remember six months later when the investigation finally hits. So having a good complaint procedure and a good official to receive, and perhaps handle, complaints is key.
Again, as a reminder, if you bought the HIPAA Compliance Library that includes my 5th edition of the Compliance Guide to HIPAA and the DHHS Regulations, you received with it a one-year free subscription to the Premium Member section. If you need help setting up your account to access the Premium Member section or want to arrange to buy a one-year subscription, please call our marketing director, Patrick R. Head II, toll-free at 855-341-8783 or email him at patrick@veteranspress.com.
While you are talking with Patrick, ask him about our upcoming two-day Hands-on HIPAA Workshop aboard the Queen Mary, anchored in Long Beach, California, October 16-17, 2014.
