HIPAA Complaint Process

Op10.04-19 HIPAA Complaint Process


It is the policy of the Missouri State University to provide patients with the means to file a complaint if they believe that their protected health information has been improperly used or disclosed. See 45 CFR Section 164.530(d)(1).


The University’s HCC

  1. Definitions. As used in this operating regulation, the following terms shall mean:
    1. Complaint: Allegation that a patient’s protected health information has been improperly used or disclosed. A patient may file a complaint, or a legal guardian or personal representative or a parent, if a minor, may file the complaint. An original Privacy Complaint Form is to be placed in the patient’s medical record. If the patient has a guardian, a copy of the complaint shall be sent to the guardian, and the patient should be notified that such action has occurred.
    2. Patient: Any person who has received health care services or who is receiving such services from a Southwest Missouri State University HCC.
    3. Protected Health Information (PHI): Individually identifiable health information, defined as any information, including demographic information, collected from an individual that:
      1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
      2. Related to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
        1. Identifies the individual, or
        2. With respect to which, there is reasonable basis to believe that the information can be used to identify the individual.
  2. Procedure. Missouri State University strongly encourages, and wishes to promote that patients and service providers discuss and attempt to resolve issues in the most direct and informal manner and at the local level. The following steps constitute the HIPAA complaint process.
    1. Utilize standardized Missouri State University HIPAA Privacy Complaint form.
    2. Forward a copy of the complaint form to the Missouri State Unit Privacy Officer or University Privacy Officer.
    3. The University Privacy Officer must describe the acts or omissions the patient believes to have occurred.
    4. The HIPAA Privacy Complaint must include the following information:
      1. The date on which the act or omission occurred;
      2. A description of the PHI affected and how it was affected; and
      3. The name(s) of anyone who may have improperly been provided with the PHI.
    5. All Privacy Complaints received by a Unit Privacy Officer will be date-stamped upon arrival.
      1. The Unit Privacy Officer will review and act on the complaint in a timely manner and not more than thirty (30) days from receipt of the complaint. If greater time is necessary to review and investigate the complaint, the Unit Privacy Officer shall, within thirty (30) days, notify the grievant, in writing of the delay, and inform the grievant of the expected time frame for completion of the review.
      2. The Unit Privacy Officer shall determine what PHI is affected by the complaint and if the PHI was provided to other covered entities and business associates.
      3. If the affected PHI was created and maintained by a business associate, the complaint will be forwarded to the business associate as outlined in the Business Associate Agreement. Complaints forwarded to business associates will be logged and a notice of the action sent to the patient making the complaint.
    6. The Unit Privacy Officer shall determine if there is cause to believe that a violation of University privacy operating regulations occurred, and the recommended course of action to be taken.
      1. If no violation has occurred the complaint and finding will be date-stamped, the complaint will be considered closed and a written notice of this shall be provided to the patient.
      2. If cause exists to believe that a violation has occurred, the Unit Privacy Officer shall be responsible for determining if:
        1. Performance or training need to be improved;
        2. A recommendation for a change to the University operating regulation or creation of a new HIPAA Policy; or
        3. Conclusion of policy violation is to be reported to implement disciplinary action (Sanction).
      3. The Unit Privacy Officer shall notify the appropriate administrators, faculty, staff or students of the action needed.
      4. If faculty, student or staff discipline must be taken, it must follow the University policies, and is to be initiated by the appropriate administrator on referral of the report of the Unit Privacy Officer.
    7. If the complaint resolution finds that no cause exists to believe a violation occurred, then the consumer may seek resolution to the University Privacy Officer (if it is a HCC-based complaint).
      1. The patient, through completion of the Complaint Form, will request that the Unit Privacy Officer or designee forward the complaint to the University Privacy Officer.
      2. The University Privacy Officer will review and act on the complaint in a timely manner and not more than thirty (30) days from receipt of the complaint form.
    8. The University Privacy Officer shall determine one of the following.
      1. That the original determination of the Unit Privacy Officer is accurate.
      2. That remediation should occur at the HCC level through increased training, or that a recommendation is made to the HCC appointing authority for possible disciplinary action.
      3. That a recommendation for department operating regulation review be initiated at the University Privacy Officer level.
      4. That a recommendation be made for the establishment of a new HCC operating regulation.
    9. The original complaint form shall be placed in the patient’s medical record.
  3. Retention. The Unit Privacy Officer’s primary responsibilities in the HIPAA Complaint process include logging and retaining complaints in a retrievable manner for a minimum or six (6) years, and identifying:
    1. Person or entity making the complaint;
    2. Date complaint was received;
    3. A list of what PHI was affected;
    4. Status of complaint;
    5. A list of business associates or facilities affected; and
    6. Actions taken.
  4. There shall be no retaliation against any patient, or against a faculty, staff or student for assisting a patient to file a HIPAA Privacy Complaint.
  5. Sanctions. Failure to comply or assure compliance with this Missouri State University policy shall result in disciplinary action, up to and including dismissal.
  6. Review Process. The University Privacy Officer will collect information from the Unit Privacy Officers during the month of April each year beginning in 2004 for the purpose of providing feedback to the HIPAA Management Team as to compliance with the procedure and any proposed modification or recommendation that additional training be implemented.

HISTORY: Effective March 21, 2003