Complaints Under HIPAA Privacy Rule

Layout for printing
Policy Number:
UW-140
Old Policy Number:
10.1
Responsible Office:
Office of Compliance

University Policy

Rationale/​Purpose:

In enacting HIPAA, Congress mandated the establishment of federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with an individual’s medical treatment or health care reimbursement. For example, unless otherwise forbidden by state or local law, without the Privacy Rule an individual’s information held by a health plan could, without the individual’s permission, be passed on to a lender who could then deny the individual’s application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws that provide stronger privacy protections apply over and above the federal privacy standards.

Definitions:
UWMadison health care component (UW HCC)
Those units of UW–Madison that have been designated by the university as part of its health care component under HIPAA. See UW-100 Designation of UW-Madison Health Care Component for a listing of these units.
UWMadison HIPAA privacy officer
The individual appointed by UW–Madison to be the privacy officer as required by the HIPAA Privacy Rule.
Scope:

Applies to all members of the UW HCC.

Policy:

Policy Summary

Consistent with the HIPAA Privacy Rule, UW–Madison requires the designation of a contact person or office to receive HIPAA privacy complaints from individuals and to provide further information in response to individual requests for information about matters covered by a Notice of Privacy Practices.

Policy Detail

  1. Each unit of the UW HCC must designate a HIPAA privacy coordinator in accordance with UW-141, Designation of Unit Privacy and Security Coordinators. Such individual serves as a point of contact for complaints and questions that arise from patients, research subjects, or other individuals or offices regarding HIPAA-covered functions or activities involving their Unit of the UW HCC. The HIPAA privacy officer serves as a point of contact to address complaints that arise from patients, research subjects, or other individuals or offices regarding HIPAA-covered functions or activities involving any area of UW–Madison.
  2. When a HIPAA privacy coordinator receives a complaint from patients, research subjects, or other individuals or offices regarding HIPAA-covered functions or activities involving their Unit of the UW HCC, they will collaborate with the HIPAA privacy officer and other appropriate faculty, leadership, staff, and/or students to address such complaint.
  3. Each HIPAA privacy coordinator will be directly accountable to the administrative officer to whom they report for proper and careful handling of complaints and questions.
  4. Each HIPAA privacy coordinator will use the usual unit processes to resolve any complaints on an informal basis to the extent practical. In such instances, the HIPAA privacy coordinator will provide documentation to the HIPAA privacy officer about the complaint and informal resolution within a reasonable period of time following the resolution of the complaint.
  5. If a complaint or question cannot be resolved to the satisfaction of an individual or, if at any time, the individual indicates that they wish to make a written complaint related to a HIPAA privacy matter:
    1. The HIPAA privacy coordinator will provide the individual with the Privacy Complaint form and provide basic instructions on how to complete and file the complaint.
    2. The written complaint may be filed either with the unit or directly with the HIPAA privacy officer.
    3. If a written complaint is filed with a unit, the unit must, within 24 hours of filing, advance a copy of the complaint to the HIPAA privacy officer.
    4. The HIPAA privacy officer will request and review all information related to any written complaint, initiate a further investigation (if needed), consult with appropriate officials of UW–Madison, make decisions concerning the appropriate response, and respond in writing, on behalf of UW–Madison, to the individual.
    5. In cases where one or more covered entities are involved in the complaint in addition to UW–Madison, the HIPAA privacy officers of all of the covered entities involved should confer and decide upon a mutually agreeable response. One or more of the HIPAA privacy officers involved will sign a written response to the individual in such cases.

  6. Reports to HIPAA Executive Board

    The UW–Madison HIPAA privacy officer will periodically report to the HIPAA Executive Board on the number and nature of the complaints filed and the resolution of such complaints, if any.

Consequences for Noncompliance

Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.

Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.

Related UW–Madison Documents, Web Pages, or Other Resources:

Additional information may be found at www.compliance.wisc.edu/hipaa

External References:

Policy Administration

Approval Authority:
Vice Chancellor for Legal Affairs
Policy Manager:
HIPAA Privacy Officer
Contact:
HIPAA Privacy Officer -- Jack Talaska, JACK.TALASKA@WISC.EDU, (608) 265-4077
Effective Date:
04-14-2003
Revised Dates:

09-03-2014: Effective date of the revised policy: 09-03-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.
06-02-2021: Effective date of the revised policy: 06-02-2021.

10-20-21

 

Retrieved:
04-27-2024 03:48:02