Proper Handling of a HIPAA Privacy Complaint

When patients complain of privacy violation, healthcare providers need to know how to deal with it. For an efficient response, the organization must have policies that cover complaints procedure. The staff should know how to handle HIPAA privacy complaints from patients.

Patients must be informed about what they need to do if they feel their privacy or the HIPAA rules have been violated. This must be included in your company’s Notice of Privacy Practices. Making a verbal complaint is not enough. Ask the patient to submit a written complaint. If you have a form for the patient to fill up, let her answer it. Then collect the form to be forwarded to the Privacy Officer for investigation.

 A HIPAA privacy complaint is serious. Addressing complaints quickly and efficiently will reassure your patients that you care about their concerns. Patients typically don’t want to cause trouble. They simply want a privacy issue investigated and mitigated harm. They want an apology especially if they are negatively affected.  But they won’t pursue the issue further if you take action right away.

Privacy complaints must be investigated to know what really happened and who are involved. There must be disciplinary action, update of policies and procedures or additional training if necessary to prevent further breaches. Let law enforcement know about the breach especially if a crime is suspected.

The Public Officer must determine if the incident is reportable. If it has been determined that there was a HIPAA breach impacting 500 or more persons, the Breach Notification Rule applies. The patients whose privacy was violated must be identified and notified within 60 days. The breach incident must be reported to OCR in 60 days from breach discovery without unnecessary delay and to state attorneys general if state laws require it.

All stages of the privacy complaint and investigation must be documented for audit purposes by OCR or state attorneys general. After the investigation of the HIPAA privacy complaint is finished, the complainant must be contacted to explain the results of the investigation and the actions taken to mitigate future risks.

Privacy complaints can get covered entities penalized if OCR finds out that the entity has no documented policies and procedures in place. When complaints of HIPAA violation are adequately investigated and resolved, the risk of penalty is significantly reduced.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at