 |
 |
 |
 |
 |
 |
 |
 |
 |
|
|
|||||||||||
| ||||||||||||
________________________________________________________________________________________________________________________________
Section VIII: |
Privacy and Security |
Title: |
Privacy Manual |
Chapter: |
Administrative Policies, Privacy Complaints |
Current Effective Date: |
5/1/05 |
Revision History: |
1/10/03, 8/21/03, 4/6/05 |
Original Effective Date: |
4/14/03 |
________________________________________________________________________________________________________________________________
This policy establishes the North Carolina Department of Health and Human Services (NC DHHS) process for providing information and controlling the receipt and disposition of concerns and complaints regarding the department’s practices, policies, and procedures related to the privacy protections of individually identifiable health information, as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
This policy shall apply to the following DHHS agencies, whether or not they serve clients:
The HIPAA Privacy Rule requires that health care providers and health care plans develop procedures for responding to individuals who make inquiries, express concerns, and/or file complaints regarding an agency’s privacy practices, policies, and procedures. Such communications may be rendered:
DHHS has determined that this communications process for privacy should be extended to all agencies within this department that maintain individually identifiable health information.
DHHS agencies shall respond to every identifiable privacy complaint received. Each identifiable privacy complaint shall generate an investigation and a response.
Ensuing investigations should focus on both the specific privacy complaint and any patterns of similar privacy complaints. Documentation of privacy complaints, investigative efforts, and complaint disposition is considered administrative information and shall be maintained in administrative files for at least six (6) years. Documentation of privacy complaint information shall not be filed in a client’s treatment, financial, or other designated record sets.
DHHS agencies shall develop procedures for responding to individuals who wish to file a privacy complaint against their agency whenever there is reason for an individual to believe that an agency’s privacy practices have been breached in some manner. Privacy complaints shall be documented, investigated, and resolved in a timely manner, ensuring clients and other individuals that the department is committed to protecting the health information that is created, received, and maintained by DHHS agencies.
Each agency shall designate a staff member who is responsible for communicating and assisting individuals who have questions or concerns, or who wish to file a complaint regarding the agency’s privacy practices. It is strongly recommended that this responsibility be limited to one person in the agency to ensure control of investigative activities, resolution, and follow-up as required.
Agencies that are required to comply with the HIPAA Privacy Rule are encouraged to designate the agency’s privacy official as the primary contact for privacy complaints; however, if another staff member is designated as the primary contact person (or as a back-up), the agency shall ensure that all privacy complaints are processed according to the department’s requirements and that the facts are discussed with the agency’s privacy official prior to final resolution. All complaint documentation collected by an agency’s primary contact person shall be forwarded to the agency privacy official who is responsible for maintaining the agency’s official file of complaints and resolutions.
Agencies that are NOT required to comply with the HIPAA Privacy Rule, but maintain individually identifiable health information, are required to designate a staff member to fulfill this responsibility. A staff member who is designated as the primary contact person for complaints must be familiar with state and federal laws and regulations regarding privacy, as well as HIPAA requirements including the agency’s privacy policies and procedures, adequate safeguards, and client rights.
The DHHS Privacy Officer is the department’s privacy expert and serves as a resource to CARE-LINE referral specialists, agency privacy officials, and agency primary contact persons. The DHHS Privacy Officer shall be contacted whenever a privacy complaint alleges inappropriate or unauthorized disclosure of individually identifiable health information outside of a covered health care component or agency (e.g., disclosure of individually identifiable health information to the news media), and whenever an agency needs assistance in resolving a privacy complaint.
The DHHS Privacy Officer is responsible for maintaining a current list of privacy contacts in each agency and for informing CARE-LINE of any changes for referral purposes; therefore, each agency is required to notify the DHHS Privacy Officer of any staff changes in the agency Privacy Official and/or primary contact person. The DHHS Privacy Officer is required to keep CARE-LINE staff informed of each agency’s current privacy contact person.
Investigation of privacy complaints must begin immediately following receipt of an expressed complaint. Investigative actions and resolution shall be documented on the DHHS Health Information Privacy Complaint Form and must be approved according to agency requirements for review (i.e., agency attorney, risk management team) prior to developing a written response to the individual who filed the privacy complaint. Complaint resolution should be completed within 30 days, unless there is a significant reason for delay, at which time an extension up to 30 days may be granted by the agency director.
The Notice of Privacy Practices, required for DHHS covered health care components that must comply with the HIPAA Privacy Rule, shall include the designated agency privacy complaint contact information, as well as the CARE-LINE contact information. (Refer to the DHHS Policy Client Rights Policies, Notice of Privacy Practices for complete policy requirements.)
Regardless of how a complaint is received, DHHS agencies shall stress the importance it places on privacy and its receptivity to learning about privacy concerns.
DHHS agencies shall ensure that all privacy complaints are documented on the DHHS Health Information Privacy Complaint Form. Documentation may be done by agency staff or by the individual who is filing the complaint. Agency procedures shall specify the complaints procedures for each agency.
Each DHHS agency shall develop and implement a log based on the DHHS Privacy Complaints Tracking template for tracking its privacy complaint forms that will indicate the status of pending investigations.
The DHHS Privacy Officer shall develop and implement a statistical database for privacy complaints from all divisions and offices. Reports will be designed to establish trends and patterns, if any, and will highlight any areas of concern.
DHHS health care components covered by HIPAA are required to publish and distribute their Notice of Privacy Practices, which includes the CARE-LINE telephone number, identification of the agency contact person, and the contact information for the Secretary of the US Department of Health and Human Services.
Whenever an individual calls CARE-LINE, the information and referral staff shall determine whether the caller is primarily seeking general information about HIPAA or the caller wishes to file a privacy complaint against the department or a specific agency within the department.
If an individual contacts the agency initially, the agency’s privacy official or primary contact person shall determine if the issue can be resolved at the agency level. If so, the privacy official or primary contact person shall be responsible for processing and documenting the concern until the issue is resolved. Divisions/facilities/schools operated by the Division of Mental Health, Developmental Disabilities and Substance Abuse Services are encouraged to involve their internal client advocates in the complaint investigation process when deemed appropriate.
If the privacy official or primary contact person determines the issue concerns other agencies in the department as well or if he/she is unable to obtain resolution at the agency level, the issue shall be forwarded to the DHHS Privacy Officer for resolution.
If an individual contacts the DHHS Privacy Officer first, the DHHS Privacy Officer shall determine if the issue is agency-specific and shall attempt to refer the individual to the appropriate agency, as needed. If the individual does not wish to speak with agency staff directly, the DHHS Privacy Officer shall collect the complaint information and work with the agency privacy official or primary contact person to resolve the issue.
In general, the DHHS Privacy Officer shall handle only those issues or concerns that affect the department as a whole or those complaints referred by CARE-LINE or a DHHS agency. Resolution of department issues may require involvement of the DHHS Secretary and the Attorney General offices. The DHHS Privacy Officer shall refer complaints to the US DHHS Secretary whenever appropriate.
The DHHS Health Information Privacy Complaint Form shall be used to document an individual’s complaint. Each agency shall make every effort to ensure documentation of privacy complaints is accurate and reflects the complainant’s concerns.
Agencies shall make a good faith effort to have all complaint documentation signed by the complainant and should use their same procedures for obtaining signatures for privacy complaints as they use to obtain signatures for authorizations and consents. If a complainant appears in person to an agency privacy official or primary contact person, or the DHHS Privacy Officer, the complaint information may be documented by the complainant or by DHHS staff, at which time the complainant shall be requested to sign the documentation. Written documentation received through the US mail, e-mail, or facsimile from the complainant shall constitute signature. Telephone complaints shall be documented by the agency privacy official or primary contact person, or the DHHS Privacy Officer. A copy of the documented complaint shall be sent to the complainant with a request for signature. Regardless of whether a signed copy of the form is returned by the complainant, the sending of a copy by DHHS staff will constitute a good faith effort to obtain signature. Investigation of a complaint shall begin immediately following receipt of the complaint.
Whenever the agency privacy official or primary contact person is satisfied that a privacy complaint has been adequately investigated and resolved, a copy of the completed DHHS Health Information Privacy Complaint Form and any accompanying documentation shall be forwarded to the DHHS Privacy Officer. Likewise, if the DHHS Privacy Officer obtains resolution, a copy of those files shall be returned to the agency named in the complaint. Official complaint files shall be maintained for at least six (6) years.
Reference:
DHHS Directive Number III-11; 45 CFR 164.530
For Relevant Forms:
DHHS Health Information Privacy Complaint
DHHS Privacy Complaints Tracking
For questions or clarification on any of the information contained in this policy, please contact DHHS Privacy Officer. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator. |
|
|
|
|
|
|
|
|
|
|
|