DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Under HIPAA, an individual who believes that a HIPAA-covered entity (a covered entity or a business associate) is not complying with the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, or the HIPAA-covered entity's policies or procedures, may file a complaint with the Secretary of the Department of Health and Human Services (DHHS). Complaints may be filed either online, or in writing by mail.
What are the Complaint Filing Requirements?
An individual need not be an employee, contractor, or patient, to file a complaint. Anyone may file a complaint with HHS, provided certain requirements are met:
1. The complaint must be filed in writing, either on paper or electronically.
2. The complaint must name the individual or entity that is the subject of the complaint.
3. The complaint must describe the acts or omissions that the complainant (the person who is filing the complaint) believes are in violation of the Privacy Rule, Security Rule, or Breach Notification Rule.
Is There a Complaint Filing Deadline?
Individuals have 180 days from when they knew, or should have known, that the act or omission complained of occurred. HHS may waive this deadline, and provide for an extension, for "good cause shown."
What is the HIPAA Complaint Process?
For an overview of the HIPAA complaint process, please click here.
What is Intake and Review?
The complaint review process begins with intake and review. HHS will review a complaint to determine whether there is a possible HIPAA violation. If HHS determines that there is no potential HIPAA violation, HHS will not conduct an investigation or take further action with respect to the complaint.
There are several circumstances under which HHS will decide not to take action after intake and review. In each case, the decision not to take action occurs because there is no HIPAA violation.
There is no HIPAA violation when:
1. The incident that is complained of occurred more than six years ago (HHS will not investigate a complaint that occurred more than six years ago).
2. The entity that is the subject of the complaint, is not subject to HIPAA (e.g., is not a covered entity or business associate).
3. The complaint has not been filed within 180 days, and no extension has been granted.
4. The incident alleged in the complaint does not violate the HIPAA rules.
What Happens If, After Intake and Review, HHS Finds a Possible HIPAA Rule Violation?
If HHS finds a possible HIPAA rule violation, it will determine whether it has cause to investigate. HHS may determine that it does not have cause to investigate, in which case the matter is deemed resolved. Or, HHS may believe that it does have cause to investigate, but may decide, instead of pursuing an investigation, to provide technical assistance to the covered entity or business associate that was the subject of the complaint. HHS may close out a compliant after providing the technical assistance.
What and How Does HHS Investigate a Complaint?
If, however, HHS believes it has cause to investigate, or, HHS deems that technical assistance for a possible HIPAA rule violation is not warranted, HHS will commence an investigation. An investigation results in one of four potential outcomes:
1. OCR finds no violation, and closes the complaint.
2. HHS/OCR decides to correct the potential violation by providing technical assistance.
3. HHS makes a decision not to investigate further.
4. OCR issues a formal finding of a violation.
5. OCR obtains voluntary compliance, corrective action, or other agreement.
What are Complaint Investigation Procedures?
Complaint investigation procedures are governed by the HITECH Act. Under that law, HHS must:
1. Investigate any complaint filed, where a preliminary factual review indicates a possible violation due to willful neglect.
2. Impose civil monetary penalties for violations that are due to willful neglect.
"Willful neglect" means conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA.
"Reasonable cause" means an act or omission that a covered entity knew, or by exercising reasonable diligence would have known, violated the HIPAA Rules, but in which the covered entity or business associate did not act with willful neglect.
The definition of "reasonable cause" includes violations due to:
- Circumstances that would make it unreasonable for a CE or BA, despite exercising ordinary business care and prudence, to comply with the HIPAA Rules.
- Other circumstances in which a CE or BA has knowledge of a violation, but lacks the conscious intent or reckless indifference associated with willful neglect.
"Reasonable cause" is a lesser degree of culpability than is "willful neglect."
HHS may also investigate any other complaint that a complainant files.
When HHS Investigates a Complaint, What Does it Review?
When HHS investigates a complaint, it may review the circumstances regarding the alleged violation, It may also include a review of the CE's or BA's policies, procedures, or practices that are relevant to the complaint.
HHS, in its initial written communication to a covered entity or a business associate about a complaint, will describe the acts or omissions alleged in the complaint. HHS also has the discretion to conduct a complaint investigation or compliance review, if, after its preliminary review, HHS determines that the degree of culpability appears to be less than willful neglect.
No Retaliation Allowed
Whether an individual files a complaint with the covered entity or business associate itself, or with HHS, HIPAA prohibits covered entities and business associates from intimidating, threatening, coercing, discriminating against, or retaliating against any person who has filed a complaint.
What Happens After a Compliance Review or Complaint Investigation?
Regardless of whether a compliance review or complaint investigation indicates noncompliance, HHS typically makes some form of response.
Voluntary Compliance, Corrective Action, or Other Agreement
If HHS conducts a compliance review or complaint investigation, and that review or investigation indicates noncompliance, HHS can proceed in one of several ways. HHS may attempt to resolve the matter informally. Methods of informal resolution include: (1) giving the covered entity or business associate an opportunity to bring itself into compliance; if the covered entity or business associate brings itself into compliance, HHS may mark the complaint "resolved"; (2) Imposing a corrective action plan (CAP) that requires the covered entity or business associate to take specific steps (such as, for example, developing or modifying and enforcing policies and procedures); or (3) some other agreement.
If the complaint is resolved informally through one of these means (e.g., the covered entity has brought itself into compliance; the covered entity or business associate has successfully completed the CAP; or the covered entity or business associate has successfully performed under the "some other agreement"), HHS notifies the complainant that the matter has been resolved.
Can HHS Enter Into a Settlement Agreement When Non-Compliance Is Indicated?
Yes. HHS may resolve an investigation by entering into a settlement agreement (also called a resolution agreement) with the entity whose noncompliance has been indicated.Typically, a settlement agreement requires a monetary payment by the entity whose noncompliance has been indicated, as well as that entity's agreement to submit to a corrective action plan (typically anywhere from one to three years long). Settlement monies are transferred to OCR, and are used to enforce HIPAA.
What Happens if a Complaint Is Not Resolved Informally or By Settlement?
If a complaint has not been resolved informally, HHS does two things:
a. HHS notifies the covered entity or business associate that the complaint has not been resolved informally.
b. HHS permits the covered entity to submit written evidence of any mitigating factors or affirmative defenses for OCR to consider.
The covered entity or business associate generally must submit the requested evidence to HHS within 30 days of the notification. If, after HHS reviews the evidence, and determines that a civil monetary penalty (CMP) should be imposed, HHS informs the covered entity or business associate of HHS' intent to impose the CMP. The written notification through which HHS provides this notification, which includes the amount of the proposed penalty, is known as a Notice of Proposed Penalty or Notice of Proposed Determination.
What Civil Monetary Penalties May be Imposed?
HHS may impose civil monetary penalties (CMPs) upon finalizing the Notice of Proposed Determination or Notice of Proposed Penalty.
Civil Monetary Penalties (CMPs) are transferred to OCR, and are used to enforce HIPAA.
Penalties fall into one of four tiers. Each tier contains its own penalty amount. The four tiers are described below.
Lack of Knowledge (Tier 1)
Tier 1 penalties apply for a violation of the HIPAA rules, if it is established that a covered entity or business associate did not know, and by exercising reasonable diligence would not have known, that the CE or BA violated HIPAA.
The current Tier 1 penalties are:
- A minimum of $137 per violation, effective October 6, 2023 (formerly $127 per violation).
- A maximum of $68,928 per violation, effective October 6, 2023 (formerly $63,973 per violation).
Effective October 6, 2023, the calendar year cap for Tier 1 violations is $2,067,813 per violation (formerly $1,919,173 per violation; penalty amounts are adjusted yealy for inflation).
Reasonable Cause but Not Willful Neglect (Tier 2)
Tier 2 penalties apply for a violation of the HIPAA rules, if it is established that the violation was due to reasonable cause, and not to willful neglect.
The current Tier 2 penalties are:
- A minimum of $1,379 per violation, effective October 6, 2023 (formerly $1,280 per violation).
- A maximum of $68,928 per violation, effective October 6, 2023 (formerly $63,973 per violation).
Effective October 6, 2023, the calendar year cap for Tier 2 violations is $2,067,813 per violation (formerly $1,919,173 per violation).
Willful Neglect and Corrected (Tier 3)
Tier 3 penalties apply for a HIPAA violation, if it is established that the violation was due to willful neglect and corrected during the 30-day period beginning on the first date the CE or BA knew (or by exercising reasonable diligence would have known) that the violation occurred.
The current Tier 3 penalties are:
- A minimum of $13,785 per violation, effective October 6, 2023 (formerly $12,794 per violation).
- A maximum of $68,928 per violation, effective October 6, 2023 (formerly $63,973 per violation).
Effective October 6, 2023, the calendar year cap for Tier 3 violations is $2,067,813 per violation (formerly $1,919,173 per violation).
Willful Neglect and Not Corrected (Tier 4)
Tier 4 penalties apply to a HIPAA violation, if it is established that he violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the CE or BA knew (or by exercising reasonable diligence would have known) that the violation occurred.
The current Tier 4 penalties are:
- A minimum of $68,928 per violation, effective October 6, 2023 (formerly $63,973 per violation).
- A maximum of $2,067,813 per violation, effective October 6, 2023 (formerly $1,919,173 per violation).
Effective October 6, 2023, the calendar year cap for Tier 4 violations is $2,067,813 per violation (formerly $1,919,173 per violation).
No Further Action
If HHS performs an investigation or compliance review and determines that no further action is warranted, it informs the CE or BA of this fact in writing. For issues arising from a complaint, HHS provides written notice to the individual who brought the complaint.
What Complaint Documentation Obligations Do HIPAA-Covered Entities Have?
If an individual files a complaint directly with a covered entity or business associate, HIPAA requires that the covered entity or business associate maintain all documentation of the complaint, as well as how it was disposed of, for at least six years.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article