Subscribe to our newsletter

Posts Tagged ‘email hipaa’

How to make a complaint

Wednesday, May 27th, 2009

complaintIf it is believed privacy rights have been violated by an HIPAA covered entity then patients have the right to complain about it.  A little research is necessary before filing a complaint is necessary to ensure the organization or individual believed contravened these rights are subject to HIPAA, and is a covered entity.

Once it has been ascertained that a covered entity has indeed broken the privacy rules then a complaint needs to be filed with the Office for Civil Rights.  The complaint must be in writing, but may be in email form or fax if preferred, and be sent to the correct regional office.  It must name the entity involved and contain a complete and lucid description of events and the reason why the rules have been broken.  A complainant has one hundred eighty days from the day of the incident to be accepted by the Office for Civil rights.

The complainant should not be scared of complaining if they firmly believe their rights have been contravened.  There is a specific clause in the rules that prohibit any kind of retaliation for filing a complaint.  If the Office for Civil Rights get to hear about any retaliations, they take a very dim view and the entity involved can get themselves into real trouble.

A good first step for any complainant is the Office for Civil Rights website where as much information as possible has been posted, and there is a complaint pack with guidance on how to complete it.  Some entities like Universities and some hospitals have their own HIPAA complaint procedures.  A complainant can choose which body to complain to, but if the entity itself is contacted it must be given adequate time to investigate and address the issue before complaining to the Office of Civil Rights.

As with any bureaucracy it will take time to process any complaint so this should be borne in mind once the complaint is made.  Adequate time must be allowed to pass to ensure the OCR can do its job.

Tags: , , ,
Posted in Uncategorized | 2 Comments »

HIPAA Overview

Wednesday, May 27th, 2009

hipaaThis innocuous acronym stands for Health Insurance Portability and Accountability Act.  This is a federal statute that was enacted in 1996 to attempt to protect the medical records of citizens.  The Act itself is massive, and covers many aspects of medical care and the handling of records and information.  The two that are relevant to our needs are the privacy rule and the security rule.  Both of which will be covered in depth later.  There are other rules provided under the act and they are the Enforcement Rule, the Transactions and Code Sets Rule and the Unique Identifiers rule.

The idea was to have an all encompassing act that covered as much ground as possible with regards patient privacy and confidentiality.  As expected the act is complicated and convoluted even for lawyers to work with, let alone the people it is designed to protect.  It serves to protect any medical record that an individual may have and attempts to afford these records as much control and privacy as possible. The people responsible for enforcing the privacy aspect of HIPAA is the Office for Civil Rights (OCR) and took effect in April 2003.

Within the act, patients are called ‘individuals’ and their medical records are called ‘PHI’ or ‘Personal Health Information’.  Any organization who handles PHI, or pays or receives electronic payment from an organization that conforms to HIPAA is subject to it.  PHI itself is regarded as any “individually identifiable health information” used, stored or transferred by any organization or entity, in any form.

There was a myth that the HIPAA only covered electronic information, but this is false.  It covers medical information as above in any form or media.  It doesn’t matter if it is electronic, paper or oral, the act applies.

The PHI itself is anything that could even loosely identify an individual and associate them with medical information.  It includes any past, present or future medical conditions, any healthcare provision information and any payments related to any healthcare provision.

Basically this all means that an organization covered by HIPAA is not permitted to disclose medical information to anybody unless the individual authorizes it or the privacy rule itself requires it.

Tags: , , , ,
Posted in Uncategorized | No Comments »