HIPAA Privacy Complaint Process

Version 1 (Current Version)
All Versions:
  • Version 1
PolicyREG12.60.08
TitleHIPAA Privacy Complaint Process
CategoryHealth Affairs
Sub-categoryHealth Affairs Matters - General
AuthorityChancellor
History

Effective: September 19, 2013

Revised: December 6, 2007; October 8, 2010; September 18, 2013

Transitioned from Interim to Permanent: July 17, 2014.

Related Policies

Sanctions

Additional References

45 CFR 164 Subpart E: Privacy of Individually Identifiable Health Information

"Modification to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule," 78 Federal Register 17 (25 January 2013), pp. 5566-5702.

ECU Healthcare Components


1. Purpose

1.1. East Carolina University's Health Care Components ("ECU Health Care Components") have a legal duty to protect the integrity and confidentiality of protected health information ("PHI"). The purpose of this regulation is to define a process for individuals to file a complaint if they suspect a potential privacy violation or if they feel his/her individual privacy rights have been violated.

2. Regulation

2.1. ECU's Health Care Components must comply with all local, state and federal requirements governing the handling and distribution of PHI. As part of these efforts, ECUs Health Care Components will have a process in place for all individuals to file a complaint if they feel their privacy rights have been violated or if they suspect potential privacy violations regarding efforts to safeguard PHI.

2.2. Individuals may also file a complaint concerning those policies and procedures established by ECU to safeguard PHI without alleging a potential violation of rights.

2.3. This complaint process will be described in the Notice of Privacy Practices used within all ECU Health Care Components. There will be no intimidation or retaliatory actions against any individual making a complaint.

2.4. ECU recognizes that individuals may file a complaint per this regulation, with the United States Department of Health and Human Services Office for Civil Rights.

3. Procedure

3.1. Filing a complaint (Non ECU Staff) : Complaints of alleged privacy rights violations can be received through multiple channels, i.e., phone call, letter via mail/email, in person, etc. within an ECU Health Care Component. Many of these will be made without directly contacting the Privacy Officer as described in the Notice of Privacy Practices. For these, staff will:

3.1.1. Phone Calls/In-Person Request to File Complaints : Complete the Privacy Complaint Form and immediately forward to the Privacy Officer or direct the individual to call the Privacy Officer at 252-744-5200.

3.1.2. Letters/emails (print out) : Complete and attach the written complaint to the Privacy Complaint Form and immediately forward to Privacy Officer.

3.2. Filing a complaint (ECU Staff) : Call the Brody School of Medicine Compliance Hotline at 1-866-515-4587 or call the Privacy Officer at 252-744-5200. Employees may also complete the Privacy Complaint Form and forward to the Privacy Officer.

3.2.1. If an employee believes that they have been retaliated against in violation of paragraph 2.3, the employee should notify the Privacy Office.

3.2.2. If an employee believes that they have been retaliated against in relation to harassment or discrimination, the employee should notify the Office for Equity and Diversity at 252-328-6804 or by email at oed@ecu.edu.

3.3. Filing a complaint directly to Privacy Officer (Non ECU & ECU Staff) : Privacy Officer will complete the Privacy Complaint Form and initiate primary investigation.

3.4. Review of Complaint : All complaints will be initially reviewed by the Privacy Officer or designated person to determine if the complaint is in violation of ECU HIPAA Privacy Policies and Procedures or other known regulations regarding the protection of PHI.

3.4.1. Complaints Requiring No Further Review : If no known violations have occurred, the Privacy Officer will contact the individual making the complaint by letter and inform them of this finding within 60 days of initial receipt of complaint. All documentation will be maintained as prescribed in this regulation.

3.4.2. Complaints Requiring Further Review : If a suspected privacy violation has occurred, the Privacy Officer will conduct a detailed review by conducting reviews, contacting employees, working with the Security Officer (as applicable), and working with other University resources as needed.

3.5. If the ECU HIPAA Privacy Officer determines that a HIPAA privacy violation has occurred, the ECU HIPAA Privacy Officer will initiate and coordinate actions as appropriate according to the Sanctions Regulation.

3.6. The Privacy Officer will contact the individual making the complaint by letter and inform them of the outcome within 60 days of initial receipt of complaint.

3.6.1. In the event that this 60-day period cannot be met, the Privacy Officer shall communicate this to the individual in writing and include an estimated timeframe for completion.

3.6.2. If applicable, Office of University Counsel, Risk Management, and Compliance will review occurrences of known privacy violations including all communication to the individual filing the complaint (confirmed violations and non-violations). All documentation will be maintained as prescribed in this regulation.

3.7. Documentation : The ECU HIPAA Privacy office will maintain all documentation regarding a complaint for a minimum of six years from the initial date of the complaint.