HIPAA Email

If it is believed privacy rights have been violated by an HIPAA covered entity then patients have the right to complain about it.  A little research is necessary before filing a complaint is necessary to ensure the organization or individual believed contravened these rights are subject to HIPAA, and is a covered entity.

Once it has been ascertained that a covered entity has indeed broken the privacy rules then a complaint needs to be filed with the Office for Civil Rights.  The complaint must be in writing, but may be in email form or fax if preferred, and be sent to the correct regional office.  It must name the entity involved and contain a complete and lucid description of events and the reason why the rules have been broken.  A complainant has one hundred eighty days from the day of the incident to be accepted by the Office for Civil rights.

The complainant should not be scared of complaining if they firmly believe their rights have been contravened.  There is a specific clause in the rules that prohibit any kind of retaliation for filing a complaint.  If the Office for Civil Rights get to hear about any retaliations, they take a very dim view and the entity involved can get themselves into real trouble.

A good first step for any complainant is the Office for Civil Rights website where as much information as possible has been posted, and there is a complaint pack with guidance on how to complete it.  Some entities like Universities and some hospitals have their own HIPAA complaint procedures.  A complainant can choose which body to complain to, but if the entity itself is contacted it must be given adequate time to investigate and address the issue before complaining to the Office of Civil Rights.

As with any bureaucracy it will take time to process any complaint so this should be borne in mind once the complaint is made.  Adequate time must be allowed to pass to ensure the OCR can do its job.