HIPAA & HITECH Part 2: Complaints & Breaches

Despite best efforts - errors, workforce non-compliance, complaints and breaches do occur. HIPAA and HITECH impose the duty to monitor and resolve these issues in a mandated timeframe. The complaint and breach report process addressed in Part 2 outlines the elements of this key administrative safeguard and incorporates the HITECH risk assessment and notification requirements of the HIPAA Omnibus Rule.

• Section 1: Health Information Management – It is the responsibility of the Covered Entity to document, investigate, and resolve all complaints and breaches that come to its attention in a timely manner as well as the responsibility of privacy and security officers to implement this safeguard. Business Associates are an element of and accountable to the Covered Entity in its Health Information Management process.

  
  

• Section 2: Complaint Management Process – This section provides an outline of the elements of the administrative safeguard requiring the investigation of HIPAA complaints in a timely manner. It provides a template to guide development of a complaint report and investigation process and a template for a Privacy and Security Complaint Policy with sample complaint forms. Documentation developed form this section can be produced in an OCR audit to demonstrate the Covered Entity's/Business Associate's compliance efforts.

  
  

• Section 3: Breach Management and Reporting – The HIPAA Omnibus Rule requires the documentation and investigation of all breaches and security incidents ("breaches") in a timely manner, and has outlined specific exceptions which fall outside of the breach notification requirement. This section provides a template to guide the development of a breach report and investigation process, as well as how to identify exceptions to the notification requirement; guidance about the required elements for a breach notification letter with a sample breach notification letter, and a template for a Privacy and Security Complaint Policy with sample complaint forms. Documents developed from this section can be produced in an OCR audit to demonstrate the Covered Entity's/Business Associate's compliance efforts.

  
  

• Section 4: Sanctions, Workforce Training, and Case Studies - This section focuses on the liability of the Covered Entity, Business Associate and/or individual employees for non-compliance and violations.Case studies taken from actual HHS investigations demonstrate the regulatory oversight required and sanctions into the hundreds of thousands of dollars assessed for non-compliance to date.Accountability is an essential aspect of a Compliance Plan and meaningful workforce training programs.