Anyone can file a complaint if they feel their rights under the HIPAA Privacy¹, Security², or Breach³ Rules have been violated. They can file a complaint with the covered entity or business associate involved, or with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (the OCR). The HHS.gov website has a full page dedicated to filing a complaint⁴ and is one of the first listings to appear if someone performs an internet search for “filing a HIPAA complaint”.

Appropriately handling the patient’s complaint by taking it seriously, investigating, and responding may help decrease the risk of the OCR launching an investigation into your pharmacy. Additionally, if an investigation does occur, following the steps listed below can help ensure that your pharmacy would have all the required information documented to prove you handled the situation pursuant to the HIPAA Rules.

Steps to follow if a patient believes their HIPAA rights have been violated:

1. Have the patient fill out a HIPAA Complaint Form
2. The pharmacy’s HIPAA Privacy Officer should review the complaint form to determine if a violation or breach occurred
3. The Privacy Officer should document the relevant facts of their investigation as well as efforts to mitigate harm to the patient, sanctions that have been applied, or any policies or procedures that need to be revised or updated
4. If a breach occurred, notifications must be sent out to the patient via First class letter, the Secretary of HHS⁵, and, possibly, the media

If HIPAA Rule violations are found during an OCR investigation, the pharmacy can be forced to pay civil money penalties and can even be held accountable for an employee’s failure to adhere to company HIPAA policies and procedures. Additionally, individuals accessing or utilizing protected health information inappropriately can be charged civil money penalties or even face criminal charges (and jail time!) for violating the HIPAA Rules.

PAAS Tips:

• The OCR takes HIPAA complaints seriously and can investigate your pharmacy to ensure you are compliant with all HIPAA Rules; be sure you have appropriately documented your response to all HIPAA complaints and maintain all documents related to HIPAA for a minimum of six years
• Routine HIPAA Compliance Audits can also be carried out by the OCR without a prior patient complaint – make sure you have appropriate policies and procedures in place to be fully adherent to all HIPAA Rules
• All staff with access to protected health information should be knowledgeable about HIPAA Rules, your pharmacy’s HIPAA policies and procedures, and sanctions for violating the Rules
• HIPAA training tailored specifically to independent pharmacies, as well as personalized assistance from a member of the PAAS analyst team, is included as part of a PAAS FWA/HIPAA Compliance Program membership

Don’t have a HIPAA Compliance Program? Contact PAAS, info@paasnational.com or (608) 873-1342 and get started today! PAAS National^® is committed to serving community pharmacies and helping keep hard-earned money where it belongs.

By Trenton Thiede, PharmD, MBA, President at PAAS National^®, expert third party audit assistance and FWA/HIPAA compliance.

Copyright © 2023 PAAS National, LLC. Unauthorized use or distribution prohibited. All use subject to terms at https://paasnational.com/terms-of-use/.

References:

• 1.       https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
• 2.       https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
• 3.       https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
• 4.       https://www.hhs.gov/hipaa/filing-a-complaint/index.html
• 5.       https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html