Are we required to have a formal privacy complaint process related to privacy issues?
HIPAA mandates a process for individuals to complain to both the practice and the Secretary of Health and Human Services (HSS) about either the practice’s policies and procedures related to privacy, or compliance with
those policies and procedures, or HIPAA's requirements.
Are there specific requirements about notification?
The final Rules stipulate that covered entities have a mechanism for receiving complaints, and this mechanism must be included in the Privacy Notice (specify contact person or office phone number).
Do I have to keep a record of complaints?
Yes, you have to maintain a record of the complaints you receive and a brief description of the resolution, if there is a resolution.
Can the individual elect to complain to the Secretary of Health and Human Services (HSS) without first complaining to me, as the practice?
Individuals have the right to send their complaint directly to the Secretary of HSS.
Are there specific requirements for filing a complaint with the Secretary of Health and Human Services (HSS)?
Complaints must be in writing (either on paper or electronic), must name the practice, and must be filed within 180 days of when the complainant knew or should have known of the omission.
What could happen if the Secretary of Health and Human Services (HSS) found the complaint to substantiate a violation?
Efforts would be made to settle the matter informally with the practice. A compliance review of the practice might result. If the Secretary of HSS found no violation, the practice and the complainant would be notified.
|
