NGA

1
NGAs HIPAA WebcastPreparing for Complaint
Driven Enforcement

• Renée Popovits
• Popovits Robinson
• 19065 Hickory Creek Drive, Suite 220
• Mokena, IL 60448
• rpopovits_at_popovitslaw.com

2
Complaint Driven Enforcement

• The enforcement process will be primarily
  complaint-driven.
• The process will be progressive, affording a
  covered entity against whom a complaint has been
  filed opportunities to demonstrate compliance or
  to develop a corrective action plan.
• Covered entities have a BIG incentive to resolve
  patient complaints BEFORE it goes to OCR--think
  risk management!

3
Complaints to the DHS Secretary

• 45 CFR 160.306 Persons have a right to file a
  complaint with DHS Secretary. Complaints must
• 1. Be filed in writing, either on paper or
  electronically
• 2. Name the entity that is the subject of the
  complaint and describe the acts or omissions
  believed to be in violation of the applicable
  requirements

4
Complaints to the Secretary

• 3. A complaint must be filed within 180 days of
  when the complainant knew or should have known
  that the act or omission complained of occurred,
  unless this time limit is waived by the Secretary
  for good cause shown
• 4. Additional procedures may be prescribed
• 5. Individuals may also file complaints with the
  Covered Entity

5
Investigation of Complaints

• The Secretary may investigate complaints.
  160.306(c). Such investigation may include a
  review of the pertinent policies, procedures, or
  practices of the covered entity and of the
  circumstances regarding any alleged acts or
  omissions concerning compliance.
• Covered entities must have a process for persons
  to make complaints. CEs must document complaints
  received as well as disposition. 164.530(d)(1)
  and (2).

6
OCR Complaint Process

• Informal review may resolve issue fully without
  formal investigation
• Many complaints will be resolved at this stage
• If not, begin investigation
• Voluntary resolution yet possible
• Technical Assistance
• See Sections 160.310 and 160.312.

7
Penalties

• Under HIPAA -- civil monetary penalties of not
  more than 100 for each violation, with a cap of
  25,000 per calendar year. (Much larger penalties
  are provided for disclosure of individually
  identifiable health information)
• Criminal penalties for wrongful disclosures

8
Types of Complaints I May Encounter?

1. PHI released outside the rule
2. PHI disclosed and person is embarrassed or harmed
   by it
3. Patient is granted access and doesnt like what
   the record says
4. Patient not granted access to records
5. Patient not granted an amendment
6. Patient not given timely information
7. Unrelated patient care complaints
8. Patient just wants to complain!

9
Strategies for Complaints/Risk Management

• Instill in staff a customer service attitude
• (desire to resolve concerns so the patient does
  not complain to OCR)
• Conduct patient satisfaction surveys
• Develop solid policies to safeguard protected
  information
• Conduct trainings to inform individuals as to the
  appropriate uses and disclosures of PHI
• Reward compliance
• Develop and enforce discipline and mitigation
  policies

10
Strategies for Complaints (contd)

• Hire the right person to take complaints. A
  patient advocate, someone with good customer
  service skills. Handle complaints in a timely
  manner
• Respond to complaints professionally with a high
  degree of empathy
• Do not be afraid to take corrective action, even
  if you need to admit you were wrong
• Address and resolve at a local and personal level
• Train clinical staff on appropriate records
  documentation
• Document any interventions or corrective actions
  that have occurred

11
What methods are States using to process
complaints?

• Hotlines
• Methods established by Federal Regulations and
  OCR
• Privacy Officers
• Client Rights Advocates or Officers
• Mail
• E-mail
• On-line Forms

12
North Carolina

• North Carolinas Department of Health and Human
  Services (DHHS) has an information and referral
  service located in their Office of Citizen
  Services known as their CARE-LINE.

13
North Carolina

• The CARE-LINE is designated to receive and
  document complaints and concerns regarding the
  Departments privacy practices, policies, and
  procedures related to the protection of
  individually identifiable health information.
  CARE-LINE ensures that all privacy complaints are
  recorded accurately, and retained for a period of
  at least six years from either the date of
  creation or the date when it was last in effect.
  Any complaint not resolved by the hotline is
  forwarded to a DHHS Privacy Officer.

14
CARE-LINE Procedures

• CARE-LINE staff respond immediately to privacy
  complaints that are general in nature and do not
  require additional research or privacy expertise.
  ALL FACTS ARE DOCUMENTED AS IS THE RESOLUTION in
  their information referral system.

15
CARE-LINE Procedures

• What if the designated agency receives the
  complaint first?
• The designated agency shall research and resolve
  the privacy complaint promptly, if possible.
  Documentation of the complaint and resolution
  shall be sent to CARE-LINE, ensuring no
  individually identifiable health information
  other than that provided by the individual is
  included. Documentation for routine issues shall
  be provided within 30 days.

16
CARE-LINE Procedures

• CARE-LINE shall provide reports about privacy
  complaints to the DHHS Privacy Officer on a
  routine and ad hoc basis, as requested.
• CARE-LINE can be accessed Monday-Friday 800 am
  to 500 pm (except holidays). You can also Fax,
  E-mail or send a letter to CARE-LINE.

17
CALIFORNIA

• California developed a policy entitled Covered
  Entity Policy Procedure Reporting Compliance
  Concerns which delineates the procedures to be
  followed the handling of Privacy Complaints under
  HIPAA. Reports can be made in four ways.

18
CALIFORNIA

• 1. Verbal report by a named individual, in person
  or by telephone, made to the Privacy Officer.
• 2. Written report by a named individual, by use
  of the Confidential Report of Concern, submitted
  to the Privacy Officer.
• 3. Anonymous telephone report by an unidentified
  individual made to the Privacy Officer or to the
  organizations anonymous reporting system.
• 4. Anonymous written report by an unidentified
  individual submitted in one of the following
  ways
• - Mailing a completed Confidential Report of
  Concern to the Privacy Officer at the
  organizations address
• Depositing a completed Confidential Report of
  Concern in one of the organizations suggestion
  boxes.

19
CALIFORNIA

• The Privacy Officer investigates each report of
  concern. The findings of an investigation
  prompted by a report of concern will be recorded
  on the Compliance Report Investigation Form
  within five working days of the report.

20
MICHIGAN

• The Michigan Department of Community Health has
  posted their Privacy Notice on-line at
  http//www.michigan.gov/mdch.
• In their policy, they offer the option of writing
  to the Office of Civil Rights to file a complaint
  or you can file a complaint directly with Denise
  Chrysler, their Privacy Officer.

21
NEW YORK

• Mario Tedesco, the HIPAA Project Manager for New
  Yorks Department of Health stated that a
  phone-in Help Line will be posted to handle HIPAA
  Privacy Complaints shortly before the deadline.

22
ILLINOIS

• Illinois Department of Human Services requests
  that patient complaints be filed on the local
  level through their local offices
• There are other Illinois State Departments that
  are covered entities and each will have their own
  complaint processes--there is not a state-wide
  system for complaints.

23
Georgetown Project

• On April 8, 2003 the Health Privacy Project (HPP)
  announced the launch of its HIPAA privacy
  complaint monitoring initiative.
• Initiative will monitor the oversight and
  enforcement of the HIPAA privacy rule by OCR to
  ensure that patients' privacy rights are enforced
  effectively.

24
Georgetown Project

• HPP will track the number and types of complaints
  and will monitor how effectively the Office of
  Civil Rights investigates and resolves them.
• More information on this initiative can be found
  on-line at the following URL
• http//www.healthprivacy.org.
• Model complaint form can be found at the
  following link http//www.healthprivacy.org/usr_d
  oc/Final_Complaint_Form.pdf

25
Resources

• The Federal Register
• http//www.archives.gov/federal_register/index.htm
  l
• HHS/Office of Civil Rights
• http//www.hhs.gov/ocr/hipaa/whatsnew.html

26
What to do if a Privacy Complaint draws Media
attention

• The Ten Commandments of Winning with the News
  Media by Clarence Jones.
• 1. Be Open and Cooperative- Never Lie!
• 2. Personalize- Americans have a negative
  mindset for almost anything that smacks of
  bigness and bureaucracy. Let them get to know
  someoneshow them the real people of your
  organization

27
What to do if a Privacy Complaint draws Media
attention

• 3. Develop Media Contacts.The better your
  relationships with the media the better the
  coverage you will get.
• 4. Take Good Stories- Find positive stories for
  the media to hear.
• 5. Respond Quickly
• 6. Never say No Comment.
• 7. Its OK to say I dont know.

28
What to do if a Privacy Complaint draws Media
attention

• 8. Confess and Repent
• 9. Use the Big Dump- If you have bad news, give
  it all at once, dont offer a little at a time.
• 10. Always Prepare, Prepare, Prepare!