How OCR Investigates a Health Information Privacy and Security Complaint

ByCompareMedCosts

The Office for Civil Rights (OCR) investigates complaints related to violations of health information privacy and security, primarily governed by the HIPAA Rules. When an individual believes their health information rights have been violated, they can file a complaint with OCR. The investigation process typically includes reviewing whether the violation involved a covered entity or business associate and if the complaint was filed within 180 days of the alleged incident. Costs associated with this process often include administrative and legal fees, but individuals are not charged for filing a complaint. Entities found in violation may face corrective actions, settlements, or civil money penalties. Patients are encouraged to request itemized documentation regarding investigation outcomes and any related charges to ensure transparency.

Cost Breakdown: HIPAA Complaint Investigation

  • Filing the Complaint: No direct cost to individuals.
  • Administrative Costs: Covered by the OCR or the investigated entity.
  • Legal Fees (for entities): May apply if hearings or settlements are needed.
  • Civil Money Penalties: Imposed on covered entities or business associates if violations are confirmed and unresolved.

Associated Costs and Considerations

  • Corrective Action Costs: Entities may incur expenses to implement new privacy or security measures.
  • Potential Settlement Agreements: May involve financial payment by the entity to resolve the case.
  • Indirect Costs: Entities may face reputational or operational impacts following an OCR investigation.

Insurance & Payment Advice

  • Individuals do not pay for filing or participating in an OCR investigation.
  • Entities should consult with legal counsel and consider liability insurance to cover potential penalties or settlements.
  • Request written, itemized estimates from legal or compliance advisors if you are an entity subject to investigation.

Frequently Asked Questions

  • Is there a fee to file a HIPAA complaint with OCR? No, individuals do not pay any fees to file a HIPAA complaint with OCR.
  • What costs might a covered entity face if found in violation? Covered entities may face corrective action costs, settlement payments, and civil money penalties if they do not comply with HIPAA rules.
  • How long do I have to file a complaint? You must file your complaint within 180 days of the alleged violation.
  • Can OCR impose financial penalties? Yes, OCR can impose civil money penalties if the covered entity fails to resolve the violation satisfactorily.
  • Will I receive a report after the investigation? Yes, OCR issues a letter describing the resolution of the investigation at its conclusion.
  • Do I need a lawyer to file a complaint? No, you do not need legal representation to file a complaint with OCR.
  • What happens if the entity disagrees with OCR’s decision? The entity may request a hearing before an HHS administrative law judge if civil money penalties are imposed.
  • Does my health insurance affect the process? No, health insurance is not involved in the OCR complaint investigation process.
  • Are there indirect costs for individuals? Individuals typically do not face direct or indirect costs when filing a HIPAA complaint.
  • Can I request an itemized estimate from OCR? While individuals do not face costs, entities under investigation can request itemized statements from legal or compliance advisors regarding possible expenses.

OCR carefully reviews all health information privacy and security complaints. Under the law, OCR only may take action on complaints if:

  • Your rights were violated by a covered entity or business associate
  • You file your complaint within 180 days of the violation

What Happens After the Investigation

At the end of the investigation, OCR issues a letter describing the resolution of the investigation.

If OCR determines that a covered entity or business associate may not have complied with the HIPAA Rules, that entity or business associate must:

  • Voluntarily comply with the HIPAA Rules
  • Take corrective action
  • Agree to a settlement

If the covered entity or business associate does not take satisfactory action to resolve the matter, OCR may decide to impose civil money penalties (CMPs) on the covered entity. If CMPs are imposed, the covered entity may request a hearing in which an HHS administrative law judge decides if the penalties are supported by the evidence in the case.