If a health care provider has already created and implemented a fraud and abuse compliance program, then developing a grievance policy for HIPAA-related complaints is only a hop, skip and a jump away. According to the Department of Health and Human Services' Health Insurance Portability and Accountability Act privacy rule, part of a covered entity's responsibilities to ensure the confidentiality of protected health information necessitates the implementation of a grievance policy, or a "means for patients to make inquiries or complaints regarding the privacy of their records." Sarraille says the information on how to make a complaint, both internally and to the HHS Office for Civil Rights, needs to be in the notice of privacy practices. He says it makes sense for providers to make the internal complaint process as easy internally as possible in order to help convince people with issues that that complaining internally is better and easier than turning to the OCR. Creating a grievance policy isn't as difficult as it may appear initially, but it involves several steps:
For example, says Sarraille, if the complaint is about a business associate and the claim is that the business associate has violated its agreement by failing to maintain privacy in some way, then that would trigger the legal obligation of the covered entity to mitigate the damages done by the violation. If it's not possible to mitigate those damages, then the covered entity must either terminate the business associate or report the associate to the DHHS. Those are the kinds of systematic questions that follow, says Sarraille. And if those questions are asked, the chances of repeated violations of HIPAA dwindles.
HIPAA-related complaints can be made by anyone, not simply by an aggrieved person, and there can't be any retaliation against anyone who makes a complaint, according to Bill Sarraille, an attorney with the Washington office of Arent Fox.
"It's basically a matter of being a good listener, of not being defensive, of assuring people in the contexts of those kinds of communications that there is a commitment to safeguarding the information and to treating people and their information with respect," notes Sarraille. And if those messages can be effectively conveyed when the complaint is being received, then the chances of them making an additional complaint to the HHS or seeking out a plaintiffs' lawyer to look at some tort theory, is dramatically reduced, he claims.