Who Should HIPAA Complaints be Directed to Within the Covered Entity?

by

HIPAA complaints within a HIPAA Covered Entity should be directed to the designated privacy official or the office responsible for HIPAA Privacy Rule compliance, using the organization’s published complaint process.

Primary Internal Recipient

A HIPAA Covered Entity must designate a privacy official responsible for the development and implementation of privacy policies and procedures. Complaints about uses or disclosures of protected health information, patient rights, or workforce conduct should be routed to that privacy official or the compliance office that administers the HIPAA Privacy Rule program.

Acceptable Intake Channels

Complaints may be submitted through written forms, email, telephone reporting lines, or in-person submission when those channels are part of the organization’s documented process. Workforce members should follow internal reporting procedures that route complaints to the privacy official for intake, tracking, and response.

Handling Expectations

The privacy official should log the complaint, evaluate whether protected health information was involved, determine whether mitigation or sanctions are required, and document the outcome. Complaints that involve electronic protected health information security events should also be coordinated with the designated security official under the HIPAA Security Rule incident procedures.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA