Anyone can file a complaint if they feel their rights under the HIPAA Privacy1, Security2, or Breach3 Rules have been violated. They can file a complaint with the covered entity or business associate involved, or with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (the OCR). The HHS.gov website has a full page dedicated to filing a complaint4 and is one of the first listings to appear if someone performs an internet search for “filing a HIPAA complaint”.
Appropriately handling the patient’s complaint by taking it seriously, investigating, and responding may help decrease the risk of the OCR launching an investigation into your pharmacy. Additionally, if an investigation does occur, following the steps listed below can help ensure that your pharmacy would have all the required information documented to prove you handled the situation pursuant to the HIPAA Rules.
Steps to follow if a patient believes their HIPAA rights have been violated: 1.Have the patient fill out a HIPAA Complaint Form 2.The pharmacy’s HIPAA Privacy Officer should review the complaint form to determine if a violation or breach occurred 3.The Privacy Officer should document the relevant facts of their investigation as well as efforts to mitigate harm to the patient, sanctions that have been applied, or any policies or procedures that need to be revised or updated 4.If a breach occurred, notifications must be sent out to the patient via First class letter, the Secretary of HHS5, and, possibly, the media
If HIPAA Rule violations are found during an OCR investigation, the pharmacy can be forced to pay civil money penalties and can even be held accountable for an employee’s failure to adhere to company HIPAA policies and procedures. Additionally, individuals accessing or utilizing protected health information inappropriately can be charged civil money penalties or even face criminal charges (and jail time!) for violating the HIPAA Rules.
Print Page
Email to a Friend