Standard for HIPAA Complaints and Investigations

Purpose

Ohio University, is a Health Insurance Portability and Accountability Act (HIPAA) Hybrid Entity, whose business activities include both covered and non-covered functions. As such, Ohio University investigates all complaints and incidences (collectively referred to hereafter as “incidents”) of potential breaches of Protected Health Information (PHI), submitted by any persons or parties, including but not limited to patients, workforce members, and any other person or party. In investigating such incidents a determination is made as to the nature of the incident, and if the incident meets the definition of a beach as outlined within the HIPAA regulations. In the event that an incident meets the definition of a HIPAA breach, notification to affected individuals is required according to HITECH and state laws.

Scope

This standard will apply to all Ohio University operating units that store, process, or transmit protected health information, and all persons or parties associated with Ohio University, including patients, workforce members, and any other person or party.

Standard

1. Incident Reporting
   1. Any individual that believes there has been a violation of Ohio University Policy 03.001 General Policy on Health Insurance Portability and Accountability Act (HIPAA) Compliance, Ohio University’s Notice of Privacy Practices, or the Ohio University HIPAA Privacy Standards and Procedures may file a complaint with:
      1. The Ohio University HIPAA Privacy Officer. Complaints can be made orally or in writing and can be made anonymously. Contact information and the HIPAA Incident Reporting Form can be found on the main privacy page.
      2. The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services. Contact information and instructions for filing a complaint can be found at on the U.S. Department of Health and Human Services website.
      3. No retaliation or discipline will be imposed upon an individual, employee, or Ohio University agent as a result of filing a complaint regarding any violations of the HIPAA privacy regulations, Ohio University’s Notice of Privacy Practices, or Ohio University’s HIPAA Standards and Procedures.
2. Responsibility for Investigations
   1. Ohio University shall investigate and respond to all incidents with a written response within thirty (30) days of the time each incident report form is submitted in writing. If more time is required to investigate and resolve a specific incident, the complainant (if known) shall be notified in writing, that additional time is required to investigate and resolve the incident. In no case shall more than sixty (60) days elapse between the time an incident report is submitted in writing and the resolution of the incident.
   2. Ohio University’s HIPAA Privacy Officer shall investigate each and every incident in a fair, impartial, and unbiased manner. All parties named in the incident report, or who participated in events leading to the incident, shall be interviewed in a non-threatening and non-coercive manner.
   3. For complaints submitted to the federal government, Ohio University will cooperate fully and openly with federal authorities as they conduct their investigation.
   4. No officer, agent, employee, contractor, temporary worker, or volunteer of Ohio University shall obstruct or impede any investigation in any way, whether internal or federal.
3. Investigation of Reported Incidents
   1. Investigations may include, but not be limited to, interviews with individuals and personal, review of relevant documentation, obtaining specific facts relating to the potential violation / breach or other research as deemed appropriate by the HIPAA Privacy Officer.
   2. Investigations will be conducted according to the nature and extent of the breach and specific facts relating to the reported incident.
   3. In the course of an investigation, other university departments such as Research Compliance, Information Security, Legal Counsel or law enforcement may be engaged to assist in the investigation as necessary.
   4. To the extent possible, the confidentiality of all participants in the reported incident will be maintained throughout the investigation.
   5. Once the Ohio University HIPAA Privacy Officer has completed the investigation, the results of the investigation will be reported to the Ohio University HIPAA Breach Response and Corrective Action Committee.
4. Responses to Investigations
   1. The Ohio University HIPAA Breach Response and Corrective Action Committee will recommend a corrective action plan that will be shared with the Ohio University HIPAA Steering Committee, the Chief Medical Affairs Officer, General Counsel and University Executive Leadership as necessary and applicable.
      1. Each corrective action plan will identify actions necessary to mitigate the risk associated with the incident and prevent similar incidents from occurring in the future.
5. Final Resolution of Incidents
   1. The final resolution of disposition of each incident shall be documented in accordance with OU department/university practice. Each incident shall be documented and a summary of the findings shall be provided to the complainant within thirty (30) days of the date that each incident report is submitted in writing, unless the additional thirty (30) days of response time is invoked, as described above.
   2. In addition to providing complainants with a written response to their incident report, incidents that are found to have merit will be resolved with some remediation that is appropriate to the severity of the situation. Such remediation may include, but is not limited to:
      1. A written apology to the complainant from Ohio University;
      2. Credit-monitoring service for the complainant for a period of one (1) or two (2) years, paid for by Ohio University, when the incident involves a breach of unsecured individually identifiable health information that has been compromised or put at risk by our actions;
      3. Discipline against workforce members, as appropriate to the circumstances; or
      4. Other unspecified remediation(s), as determined by legal counsel and senior management.
6. Reporting
   1. Upon the conclusion of an investigation the HIPAA Privacy Officer will report to the HIPAA Steering Committee, the Chief Medial Affairs Officer and the applicable university leadership the results of the investigation and the details of the remediation plan.
   2. As appropriate, based on the severity, nature and details of the incident, the HIPAA Privacy Officer in collaboration with the HIPAA Breach Response and Corrective Action Committee, will determine what, if any, notification must be made in accordance with situations that meet the definition of a breach under the Ohio University HIPAA Privacy Standards and Procedures, the HIPAA/HITECH Act and/or applicable state breach notification requirements.
   3. For incidents that meet the definition of a breach, Ohio University will provide timely notification of breaches in accordance with the Ohio University HIPAA Privacy Standards and Procedures, HIPAA Standards: 10: Breach Notification.

Definitions

• Protected Health Information (PHI). PHI means individually identifiable health information created or received by (or on behalf of) a health care provider, health care clearinghouse, or health plan.
• Health information. Health information is any information that relates to the past, present, or future physical or mental health or condition of an Individual; or the past, present, or future payment for the provision of health care to an Individual. Health information is “individually identifiable” if it either identifies the Individual or contains enough specific information to identify the Individual.
• Breach. A breach is the acquisition, access, use or disclosure of Protected Health Information (PHI) in a manner not permitted by the HIPAA Privacy Rules, 45 CFR § 164.402.
• Retaliation. Retaliation shall be defined as, but not be limited to, actions that may intimidate, threaten, coerce, discriminate against or take other retaliatory action against an individual exercising their rights to file a complaint or incident report relating to HIPAA compliance.

References

• Policy 03.001 General Policy on Health Insurance Portability and Accountability Act (HIPAA) Compliance Ohio University Provider HIPAA Privacy Standards and Procedures
• Ohio University Health Plan HIPAA Privacy Standards and Procedures HIPAA Incident Reporting Form
• Policy 03.006 Whistle-blowing and Retaliation

Governance

This standard will be reviewed and approved by the University HIPAA Steering Committee, and other key stakeholders in the interest of ensuring the privacy and security of individual’s health information, as deemed appropriate based on the current regulatory requirement mandates.