Health Information Compliance Alert

If you don't properly address patients' privacy rule complaints, you'll waste time and money - but worse than that, you might have to explain yourself to the feds.

Covered entities certainly hope that their HIPAA policies and procedures are up to snuff and that patients are receiving not only ideal care, but exemplary privacy protections to boot. Yet, when you prepared for the privacy rule, you may not have adequately addressed what to do when a patient invariably files a privacy complaint. And in order to avoid potential civil monetary penalties enforced by the Department of Health and Human Services' Office forCivil Rights, you'll have to have your wits about you when patients submit complaints.

Complaints could be handled in a variety of ways, notes Keith Olenik, chief privacy officer at St. Luke's Health System in Kansas City, Missouri, a system that consists of eight hospitals and several additional physician offices. "If a contact person at the office can handle the complaint, we're going to try to resolve it right there and then for minor issues."

But what if the complaint isn't just a misunderstanding and comprises a significant privacy issue? If that's the case, such a grievance would then be forwarded to the privacy officer, who would undertake an investigation into the matter, Olenik informs Eli. After the complaint has been submitted to the privacy officer, he says he and the person who initially fielded the complaint would decide how they were going to respond back to the patient.

Olenik says patients are informed in St. Luke's notice of privacy practices that they have the ability to file a complaint with the OCR, and says St. Luke's even lists the address in its NPP (for sample form, see article 7).

"They're informed if they don't feel we've adequately addressed their issue, then they can do that." He says that if patients aren't content after the initial response addressing their complaint, "then we would probably advise them that they have the option to [submit a complaint to the OCR], just to show that we're being cooperative in the process." But Olenik says he'll try his best to resolve the issue before OCR is ever mentioned.

While it is ultimately the privacy officer's responsibility to oversee privacy rule investigations and to ensure that complaints are properly addressed, he or she can certainly seek help. "[The privacy officer] needs to coordinate and track what's happening with complaints," notes attorney Eileen Kahaner with Arent Fox in Washington. But she adds that the privacy officer doesn't have to perform every investigation and can always delegate to other people responsibilities for researching and responding to complaints.

Since CEs are required to hold on to such files for six years, Olenik says complaints will be filed in either his office or the privacy office of the main health system. Rather than having every individual location file the complaint forms separately he advises CEs to file them centrally. He adds that St. Luke's currently plans to examine a document imaging system for its contracts, and hopes to have such a system in place for complaints as well. That way, "it'd be easier to control access and then have it available."

You should try to mitigate complaints as quickly and quietly as possible. Ideally, Olenik says he'd like to have a response back to the patient within a week's time, if not sooner. He says if a complaint came to his desk, he'd try to send out a letter to the patient the next day, if possible. If he receives a complaint in a letter, he would then respond to the patient in a note that explains his organization had received their complaint "and we'll be responding within 'x' amount of time, and the 'x' is usually determined by the significance is of the issue," he explains.

However you decide to go about it, generating your own complaint form for privacy rule breaches is always a good idea. "To the outside it looks like you're taking complaints or questions seriously. Kahaner maintains. Kahaner says it's always a little uncomfortable when people complain or raise issues relating to your organization, but oftentimes they raise valid problems or defects in your systems. When you openly accept those grievances and attempt to respond to them, "you can make people feel like you've tried to take care of them, and that's really valuable," she offers.