Health Information Compliance Alert
Know How OCR Deals With HIPAA-Related Complaints
PDF
Question: Our practice does a pretty good job of following the HIPAA Rules, and we’ve been keeping up with the HHS Office for Civil Rights (OCR) focus these past few years on patients’ rights to have access to their files. However, we do know that accidents happen, and we wondered what occurs when a patient files a complaint? Is there always a settlement and corrective action plan? Arkansas Subscriber Answer: After OCR receives a complaint about a covered entity (CE) or business associate (BA), it follows a defined track that has a variety of outcomes depending on the veracity of the complaint, in accordance with the HIPAA Enforcement Rule. For example, OCR will not start enforcement proceedings if the action happened more than six years ago. The agency also only investigates complaints against CEs and BAs that are subject to the HIPAA Rules. Lastly, the incident must be a clear HIPAA violation, and the complaint filing must be “within 180 days of when the person submitting the complaint knew or should have known about the alleged violation of the HIPAA Rules,” OCR guidance says. “OCR may waive this time limit if it determines that the person submitting the complaint shows good cause for not submitting the complaint within the 180-day time frame (e.g., such as circumstances that made submitting the complaint within 180 days impossible),” the agency adds. Bottom line: Not every complaint warrants an investigation, but there is always a resolution associated with every complaint. In fact, a resolution could include merely OCR’s decision not to investigate. On the other hand, if an investigation does ensue and OCR uncovers a violation, then a settlement agreement will follow with a resolution agreement. This is where it gets more nuanced and when the impacted CE or BA may agree to a corrective action plan (CAP) as part of their settlement and resolution agreement. “A resolution agreement is a settlement agreement signed by HHS and a covered entity or business associate in which the covered entity or business associate agrees to perform certain obligations and make reports to HHS, generally for a period of three years,” OCR explains. “During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement may include the payment of a resolution amount.” Warning: If you don’t meet the demands of your CAP outlined in your original resolution agreement, OCR may revise the resolution agreement and impose civil money penalties (CMPs) against you, agency guidance indicates.
Health Information Compliance Alert
- Policy:
Feds Focus Policymaking on Patient Safety, Equity Issues
See 3 initiatives that may impact health data for years to come. The COVID-19 pandemic [...] - Electronic Health Records:
Bolster Patient Safety and EHR Efficiency With AI
Hint: AI can help cut administrative burdens, too. Duplicate patient records or overlays in electronic [...] - Public Health Emergency:
Factor This Expert Telehealth and PHE Advice Into Your Policies
Know the various modifiers and when to append them. With COVID-19 spikes occurring across the [...] - Reader Questions:
Ensure All Employees Know the Importance of HIPAA
Question: We occasionally hire temporary workers and student interns at our thriving practice. Should we offer [...] - Reader Questions:
Know How OCR Deals With HIPAA-Related Complaints
Question: Our practice does a pretty good job of following the HIPAA Rules, and we’ve been [...]