What is the OCR's complaints process?

The OCR complaints process protects individuals against possible violations of their patient data. This helps build public confidence in the healthcare system by demonstrating that there are mechanisms in place to address these privacy concerns assuring individuals that their complaints will be taken seriously and investigated thoroughly. 

What are the possible HIPAA complaints that could arise?

A wide variety of potential HIPAA violations or breaches can lead to an infringement of the privacy and security of an individual's data, and a broad array of these violations can result in an OCR complaint. These include:

• Unauthorized disclosure of protected health information (PHI)
• Lack of safeguards for PHI
• Denial of access to medical records
• Inadequate training and education
• Retaliation from the covered entity for exercising HIPAA rights
• Breach notification failures
• Non-compliance with HIPAA requirements
• Failure to respond to access or amendment requests

Related: Understanding HIPAA violations and breaches

What is the role of the OCR?

The Office for Civil Rights (OCR) is responsible for ensuring compliance with HIPAA's Privacy, Security, and Breach Notification Rules. It investigates complaints and conducts compliance reviews to determine if covered entities (such as healthcare providers, health plans, and healthcare clearinghouses) and their business associates are meeting their obligations under HIPAA.

Amongst their jurisdiction is receiving and investigating complaints from individuals, organizations, and advocacy groups who believe that their rights under HIPAA have been violated. They review the complaints, gather evidence, and determine if any HIPAA violations have occurred. 

Related: What is the OCR, and what does it do?

The process of OCR complaints for the complainant 

Initiating 

The OCR offers several methods of laying a complaint for any of the above reasons. These include making use of their online complaint portal and making use of mail or fax. This complaint should include details of the violation, the covered entity that committed the violation, and any applicable reporting documents. 

Investigation

The OCR considers the nature and extent of the alleged violation. Violations that involve intentional misconduct, repeated offenses, or large-scale breaches of PHI are typically deemed more severe. The process involves the following steps:

1. Initial review: Upon receiving a complaint, the OCR conducts an initial review to determine jurisdiction, validity, and potential violations of HIPAA. This stage involves assessing the provided information, contacting the complainant for clarification, and assigning the complaint to an investigator.
2. Fact-finding: During this stage, the OCR investigator gathers information and evidence related to the alleged HIPAA violation. This may involve requesting additional documentation or records from the complainant and the entity involved. The investigator may also interview witnesses and conduct on-site visits if necessary.
3. Analysis and evaluation: The OCR analyzes the collected evidence, interviews, and documentation to determine if a violation of HIPAA has occurred. They evaluate the severity of the violation, the entity's compliance history, and any mitigating factors. The OCR may consult legal experts and other professionals as part of the evaluation process.
4. Resolution: After completing the investigation, the OCR works toward resolving the complaint. Possible resolutions may include voluntary compliance, corrective action plans, or settlement agreements, depending on the findings. In cases where violations are severe or persistent, the OCR may issue penalties, impose sanctions, or pursue litigation.

Impact of a complaint on the organization

The healthcare organization may be required to comply with the OCR investigation after the complaint has been logged. The OCR can employ several methods of resolution if a violation is found to exist. If it determines that the violations are significant or the entity has a history of non-compliance, it has the authority to impose civil monetary penalties (CMPs) on the covered entity or business associate. This ultimately can drive the covered entity or business associate to improve their compliance with HIPAA regulations. 

Potential resolution or outcome

Impose civil monetary penalties (CMPs)

The OCR may assess monetary fines on covered entities found to violate HIPAA. The penalty amount depends on the severity of the violation, with penalties ranging from thousands to millions of dollars.

Require corrective actions

The OCR can require covered entities to implement specific corrective actions to address the identified violations. This may involve developing and implementing policies and procedures, providing additional staff training, or implementing technical safeguards to protect PHI.

Enter into resolution agreements

In some cases, the OCR may enter into resolution agreements with covered entities to address the violations and ensure future compliance. These agreements typically outline the actions the entity must take to rectify the violation and prevent further non-compliance.

Related: HIPAA Compliant Email: The Definitive Guide