[ Tuesday, March 11, 2003 ]
As you should know, HIPAA requires you to adopt policies and procedures outlining a complaint process for your patients and others who want to complain about the way you use their PHI. You need to reference it in your NOPP, as well as having explicit policies and procedures that you (and your employees) follow in the face of a complaint.
As you may not know, individuals can complain to you, to HHS, or both. I suspect that most complaints will be to the covered entity, not to HHS (unless the covered entity doesn't respond quickly or properly). Here's a thought: I once heard a speaker at a physician conference state that the best insurance against a malpractice suit is a good bedside manner, and vice versa. Bad outcomes become malpractice cases when the patient or his family decide that the doctor is mean/rude/obnoxious/etc. By the same token, mistakes in handling PHI will become HHS complaints or lawsuits if the initial complaint is botched.
Pay close attention to your policies and procedures regarding complaints. Make sure your privacy officer (or other contact person if you go that route) is ready to hold hands with complaining patients and "feel their pain." If your privacy officer is empathetic, you might be able to avoid enforcement actions. On the other hand, if your privacy officer is just pathetic rather than empathetic, . . . .
Jeff [9:17 AM]
Blogger: HIPAA Blog - Edit your Template