Health Information Compliance Alert

Published on Tue Oct 27, 2009 PDF

Putting a complaint on the backburner can land you in hot water with the feds.

When you prepared for the privacy rule, you may not have adequately addressed what to do when a patient files a privacy complaint. To avoid potential civil monetary penalties enforced by the Department of Health and Human Services' Office for Civil Rights, you'll have to have your wits about you when patients submit complaints.

Complaints could be handled in a variety of ways, notes Keith Olenik, chief privacy officer at St. Luke's Health System in Kansas City, MO, a system that consists of eight hospitals and several additional physician offices.

"If a contact person at the office can handle the complaint, we're going to try to resolve it right there and then for minor issues."

But what if the complaint isn't just a misunderstanding and comprises a significant privacy issue? If that's the case, such a grievance would then be forwarded to the privacy officer, who would investigate the matter, Olenik informs Eli. After the complaint has been submitted to the privacy officer, he says he and the person who initially fielded the complaint would decide how they were going to respond to the patient.

Good idea: Olenik says patients are informed in St. Luke's notice of privacy practices that they have the ability to file a complaint with the OCR, and says St. Luke's even lists the address in its NPP.

"They're informed if they don't feel we've adequately addressed their issue, then they can do that." He says that if patients aren't content after the initial response addressing their complaint, "then we would probably advise them that they have the option to [submit a complaint to the OCR], just to show that we're being cooperative in the process." But Olenik says he'll try his best to resolve the issue before OCR is ever mentioned.

While it is ultimately the privacy officer's responsibility to oversee privacy rule investigations and to ensure that complaints are properly addressed, he or she can certainly seek help. "[The privacy officer] needs to coordinate and track what's happening with complaints," notes Eileen Kahaner, healthcare attorney with Arent Fox, Washington.

But she adds that the privacy officer doesn't have to perform every investigation and can always delegate to other people responsibilities for researching and responding to complaints.

You should try to mitigate complaints as quickly and quietly as possible. Ideally, Olenik says he'd like to have a response back to the patient within a week's time, if not sooner. He says if a complaint came to his desk, he'd try to send out a letter to the patient the next day, if possible.

If he receives a complaint in a letter, he would then respond to the patient in a note that explains his organization had received their complaint "and we'll be responding within 'x' amount of time, and the 'x' is usually determined by the significance is of the issue," he explains.

Tip: However you decide to go about it, generating your own complaint form for privacy rule breaches is always a good idea, Kahaner maintains.

Kahaner says it's always a little uncomfortable when people complain or raise issues relating to your organization, but oftentimes they raise valid problems or defects in your systems. When you openly accept those grievances and attempt to respond to them, "you can make people feel like you've tried to take care of them, and that's really valuable," she offers.