HIPAA: Are You Prepared for a Patient Complaint?

Most practices assume they have HIPAA covered, but when an actual incident occurs, they find out too late that staff are not prepared or the practice is missing important compliance documentation. 

Physicians and providers take extra precautions when treating a high-profile or celebrity patient; however, the most common type of patient HIPAA complaint stems from interpersonal relationships and conflicts. These conflicts are common when staff know patients and patients’ friends and family personally.

What happens if you can’t document your compliance? 

The Indiana Court of Appeals upheld a $1.4 million verdict against Walgreen Co. (Walgreens) and one of its pharmacists who shared confidential medical information about a client who had once dated her husband. Walgreens was held liable even though the pharmacist admitted she knew that disclosing the information was against Walgreens’ policies, because Walgreens could not document the following:

  • Adequate employee training, and
  • Procedure to supervise employees, including monitoring access to patient records.

What do you need to do if you receive a patient HIPAA complaint?

1. Conduct a risk assessment.

You should have an incident response plan for a malicious insider (person who violates your policies intentionally) that your HIPAA security officer can use to investigate and respond to the incident. The plan should include the steps to restrict the individual’s access to protected health information (PHI) and to retain audit logs of the individual’s access to PHI. If PHI was compromised, you may need to report a breach under the HIPAA Breach Notification Rule.

2. Gather your compliance documentation.

You will need documentation to support the final determination of your risk assessment, whether you determine a breach has occurred. This may include:

  • The malicious insider identified as a threat in your most recent risk analysis;
  • Employee training, including notification that access to records is monitored, identified as a safeguard in your compliance plan;
  • PHI systems audit of access to patient records identified as a safeguard;
  • Retention and review of PHI audit logs identified as a safeguard;
  • Policies that specify safeguards are to be implemented: employee training, auditing of patient records, and review of audit logs;
  • Documentation that your policies have been implemented; 
  • Documentation that your policies are followed after implementation, including verification that audit logs are reviewed on a regularly scheduled basis and for high-risk situations, such as employee resignation, employee termination, high-profile patient, and staff interpersonal conflicts.

Don’t wait until you have an incident. Visit the TMA HIPAA Resource Center to find out more about HIPAA security.

Published Aug. 12, 2015

TMA Practice E-Tips main page

Last Updated On

May 30, 2019