Develop A HIPAA- and OBRA-Compliant Internal Complaints Policy Question: What must be included in a facility's internal complaints policy to comply with the HIPAA Privacy Rule and OBRA?
- Florida subscriber
Answer: The HIPAA medical privacy rule requires facilities to have a process through which residents, family members, employees or others may make complaints about privacy violations. Since OBRA requires facilities to act promptly to resolve resident grievances, many facilities may already have a resident complaint process that can be expanded to meet the HIPAA privacy requirements.
HIPAA does not require a facility to follow specific procedures for handling complaints, but a facility's internal complaint process should include the following elements whether the facility is expanding an existing process or creating a new one:
(1) Identification of the person or office responsible for receiving and investigating privacy complaints;
(2) A statement in the Notice of Privacy Practices that the resident has the right to file a complaint with the facility and a description of how to file the complaint;
(3) Efforts to ensure that residents or others who submit complaints are not subjected to retaliation for exercising this right;
(4) Disciplinary action for privacy violations by members of the facility's workforce including employees, independent contractors and volunteers;
(5) Training for members of the facility's workforce on the HIPAA Privacy Rule requirements and the facility's complaint process; and
(6) Documentation of complaints received, investigations and actions taken; documentation must be retained for six years.
A facility's complaint process should fit the size and resources of the facility. For example, a large facility or health system may wish to institute a formal complaint system requiring written complaints with standard timeframes for response. A smaller facility may assign a clerk to log written or oral complaints as they are received and assign a manager to review all complaints monthly, address individual situations, and make changes to policies and procedures. Alternatively, a facility could incorporate the privacy complaint process into its corporate compliance program process for reporting violations (via a hotline, complaint box or direct reports to the facility's compliance officer).
- Expert advice provided by attorneys Maureen Weaver and Amanda Littell of Wiggin & Dana LLP in New Haven, CT .