[ Friday, March 25, 2005 ]
Complaining about HIPAA:
And I don't mean complaining about what a pain it is to comply with. I mean making a complaint to the "HIPAA Police" that a covered entity or other person has violated HIPAA, particularly with regard to your own PHI.
To date, the only real part of HIPAA that's in effect that someone might complain about is the Privacy Rule, which is enforced by the Office of Civil Rights of HHS. You file a complaint there by going here
and following the easy instructions.
Today, HHS has published guidelines for making a complaint under the rest of HIPAA other than the Privacy Rule (such as the soon-to-be-enforceable Security Rule; April 20 is 27 days away!). You can find the instructions here
. I suspect they'll put the same type of instructions up that they have for OCR; once they're on the website, I'll post it.
UPDATE: it seems that if a Security Rule complaint is filed against you, HHS will first ask you for a written response, showing either compliance (i.e., the complaint is unfounded), the basis of the disagreement between the CE and the complainer, or a corrective action plan (the complaint is true, but we're fixing it). And it would be a good idea to respond. Assuming HHS will be as compliance-rather-than-punishment oriented as OCR, you don't want to be on their bad side.
Jeff [10:25 AM]
Blogger: HIPAA Blog - Edit your Template