RESPONDING TO AN OCR PRIVACY COMPLAINT

1
RESPONDING TO AN OCR PRIVACY COMPLAINT

• HIPAA COW
• January 14, 2005 Meeting
• Nancy Davis - Ministry Health Care

2
PRESENTATION OBJECTIVES

• Review the HIPAA Privacy Complaint Standards
• Provide Real-Life Experience in Responding to an
  OCR Privacy Complaint Investigation
• Provider Experience
• Payer Experience
• Address the Role of Other External Agencies in
  Responding to and Investigating Privacy
  Complaints

3
45 CFR 160.306 COMPLAINTS TO THE SECRETARY

• (a) Right to file a complaint. A person who
  believes a covered entity is not complying with
  the applicable requirements of this part 160 or
  the applicable standards, requirements, and
  implementation specifications of subpart E of
  part 164 of this subchapter may file a complaint
  with the Secretary (Health Human Services).

4
45 CFR 160.306 - Continued

• (b) Requirements for filing complaints.
  Complaints under this section must meet the
  following requirements
• (1) A complaint must be filed in writing, either
  on paper or electronically.
• (2) A complaint must name the entity that is the
  subject of the complaint and describe the acts or
  omissions believed to be in violation of the
  applicable requirements of this part 160 or the
  applicable standards, requirements, and
  implementation specifications of subpart E of
  part 164 of this subchapter.

5
45 CFR 160.306 - Continued

• (3) A complaint must be filed within 180 days of
  when the complainant knew or should have known
  that the act or omission complained of occurred,
  unless this time limit is waived by the Secretary
  for good cause shown.
• (4) The Secretary may prescribe additional
  procedures for the filing of complaints, as well
  as the place and manner of filing, by notice in
  the Federal Register.

6
45 CFR 164.520 NOTICE OF PRIVACY PRACTICES FOR PHI

• (b) Implementation Specifications Content of
  Notice. (1) Required Elements
• (vi) Complaints. The notice must contain a
  state-ment that individuals may complain to the
  covered entity and to the Secretary if they
  believe their privacy rights have been violated,
  a brief description of how the individual may
  file a complaint with the covered entity, and a
  statement that the individual will not be
  retaliated against for filing a complaint.

7
45 CFR 164.530 ADMINISTRATIVE REQUIREMENTS

• (g) Standard refraining from intimidating or
  retaliatory acts. A covered entity may not
  intimidate, threaten, coerce, discriminate
  against, or take other retaliatory action
  against
• (2) Individuals and others. Any individual or
  other person for
• (i) Filing of a complaint with the Secretary
  under subpart C of part 160 of this subchapter

8
OCR GUIDANCE

• Fact Sheet How to File a Health Information
  Privacy Complaint With the Office for Civil
  Rights
• Instructions
• Special Complaint Form
• Options
• Paper or Electronically
• Mail, Fax, or E-Mail
• Support
• Toll Free Number 1-800-368-1019

9
OCR HEALTH INFORMATION PRIVACY COMPLAINT FORM

• One Page Form (Optional Second Page)
• Demographic Section for Complainant
• Demographic Section for Subject of Complaint
• Description of the Complaint
• Signature and Date

10
OCR FACT SHEET

• How to File a Health Information Privacy
  Complaint With the Office for Civil Rights
• www.os.dhhs.gov/ocr/privacyhowtofile.htm

11
OCR REGIONAL CONTACT INFORMATION

• Region V IL, IN, MI, MN, OH, WI
• Office for Civil Rights
• U.S. Department of Health Human Services
• 233 N. Michigan Avenue Suite 240
• Chicago, IL 60601
• (312) 886-2359
• (312) 886-1807 (Fax)
• (312) 353-5693 (TDD)

12
OCR PRIVACY COMPLAINTS

• 9,541 Complaints Filed (11/18/04)
• 5,721 Closed
• Balance in Process
• 80 of Complaints Investigated
• 20 Not Applicable Due to
• No Covered Entity Involved
• Incidents Took Place Before 4/13/03
• Incidents Are Not Violations/Permitted by Rule

13
OCR PRIVACY COMPLAINTS - Continued

• Top Five Complaint Allegations
• Impermissible Disclosures
• Failure to Establish Safeguards (Administrative,
  Technical Physical)
• Access to Records/Fees for Records
• Minimum Necessary Provided Too Much
• Failure to Provide Notice of Privacy Practices

14
OCR PRIVACY COMPLAINTS - Continued

• As of 9/10/2004, OCR Has Referred 98 Criminal
  Complaints to DOJ for Investigation
• DOJ Has Accepted 7 Complaints for Investigation
• OCR Has Not Yet Levied a Civil Monetary Penalty

15
PROVIDER EXPERIENCE

• OCR Complaint
• Related to a complaint previously investigated at
  both the local and corporate levels.
• Involved a disgruntled, recently terminated
  employee.
• Incident was determined to be an administrative
  oversight.

16
PROVIDER EXPERIENCE - Continued

• Scenario - Local
• On day of involuntary termination, employee
  contacted corporate helpline with multiple
  complaints regarding previous employer.
• Only one complaint addressed an inappropriate use
  and disclosure of PHI.
• Use and disclosure related to an operational
  function and not a patient care function.

17
PROVIDER EXPERIENCE - Continued

• Scenario - Local
• Investigation carried out.
• Focus on privacy issue.
• Multiple calls to complainant.
• Follow-up letter with results of investigation to
  complainant.
• Corrective action taken.
• Leadership Inservicing

18
PROVIDER EXPERIENCE - Continued

• OCR Investigation
• Not unexpected retaliation was suspected.
• Scope of complaint a surprise and a stretch.
• Organization fully cooperated and shared details
  of internal/corporate investigation
  (documentation, notes, policy changes,
  education).

19
PROVIDER EXPERIENCE - Continued

• OCR Notification Letter
• DHHS/OCR Letterhead
• Addressed to Privacy Officer
• Included Reference Number
• Provided Nature of Complaint
• Notification of Contact Within 2 Weeks
• Identification of Contact Individual

20
PROVIDER EXPERIENCE - Continued

• OCR Investigation
• OCR Investigation Carried Out in a Thorough and
  Professional Manner.
• Requested Organizational Response in a Timely
  Manner.
• OCR provided letter of resolution.

21
TIMELINE
22
HEALTH PLAN EXPERIENCE

• Scenario
• Due to a common misunderstanding and branding
  of the health plan and the medical center, a
  member filed a complaint with OCR because the
  health plan was sending his spouses explanation
  of benefits (EOB) to her ex-spouse.

23
HEALTH PLAN EXPERIENCE - Continued

• Internal Investigation
• It was determined by the health plan that the
  patient (spouse) had dual coverage under both the
  ex-spouse and the current spouse.
• No notification had been received by the health
  plan to terminate coverage under the ex-spouse.

24
HEALTH PLAN EXPERIENCE - Continued

• OCR Investigation Outcome
• Internal investigation information shared with
  OCR
• Process of OCR investigation informal
• Carried out by phone call
• Resolved

25
HEALTH PLAN EXPERIENCE - Continued

• Pending Future OCR Investigation?
• Denial for services sent to wrong patient which
  may have resulted in disclosure of diagnostic
  information, social security number, etc.
• Corrective Action Blinding of SSN or
  identification numbers

26
TAKE AWAYS

• Dont Wait for OCR to Make Contact/Call to
  Request Information to Prepare for Investigation
• Dont Assume the Nature of the Complaint
• Documentation Availability is Key
• Staff Training Education
• Policies Procedures
• Internal Investigations and Corrective Actions
• Request Verification of Resolution
• Privacy Complaints Low Hanging Fruit for
  Disgruntled Individuals

27
CONSEQUENCES OF HIPAA VIOLATIONS

• Civil Penalties
• Fines
• Criminal Penalties
• Imprisonment
• Fines
• Exclusion
• Medicare Program

28
HIPAA CONVICTION

• Richard W. Gibson, 42, of Seattle, Washington was
  sentenced to 16 months in prison, three years of
  supervised release, and more than 9,000 in
  restitution for wrongful disclosure of
  individually identifiable health information for
  economic gain.

29
OTHER EXTERNAL AGENCIES PRIVACY COMPLAINTS

• State of Wisconsin Department of Health Family
  Services Bureau of Quality Assurance
• Joint Commission on Accreditation of Healthcare
  Organizations
• Media Outlets (Newspaper, Radio, Internet)

30
QUESTIONS/DISCUSSION

• davisn_at_ministryhealth.org
• 920-746-1613