Looking for a Business Associate Agreement? Download our FREE starter template.
Total HIPAA Logo

7 Steps to Take When You Have a HIPAA Complaint

We’ve gotten a few calls about this issue. This is a continuation of our blog from 2 weeks ago. What do you do when a client/patient contacts you about improper use of their PHI and thinks they have a HIPAA Complaint?

The 7 Steps

    1. Communication is key. You need to listen closely to what the client/patient is saying, what the issue is, and what kind of resolution they are looking for. Many times, listening can solve most of your problems, and will keep this client from filing a formal complaint with HHS.
    2. Document this issue. Regardless of whether the person files a complaint with HHS, it’s important that you document what the issue was, when it occurred, and what information the client felt was released or used improperly. If you determine there was a breach, this information needs to be filed with HHS within 60 days of the end of the calendar year.
    3. Remember: Breaches of over 500 clients information needs to be reported to HHS within 30 days of discovery, or from when you should have known there was a breach. They also need to be reported to prominent local media outlets, and posted on your website.
    4. Fix the problem. This is easier said than done sometimes. Once information has been released, it’s hard, if not impossible to have it unreleased. One example we’ve seen lately is bills being sent to the wrong family member. Update your records to reflect that you’ve identified the problem and made the necessary changes. In this case, you have a breach since the wrong person has seen PHI. You would need to document this, notate how you’ve mitigated the problem, and file with HHS at the end of the year.
    5. Many providers choose to give clients who have had their information breached free credit monitoring for a year to help mitigate any issues they might come up against.
    6. If you do find there was an issue, you should audit the rest of your records to make sure this is a one-time incident and not the proverbial canary in the coal mine.
    7. This client/patient may still use your services after the report. By law, you are NOT allowed to retaliate in any way. This may be uncomfortable for you and people in your agency/practice, but the reality is they might be doing you a favor by pointing out an error! You should be professional, and courteous with these people, and put any personal feelings behind you. If this does become a major issue, you can suggest that the client/patient might be more comfortable with another provider, but you cannot force them to make this change.

Let us know if you have any questions or comments on how to respond.

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)