NOTE: In the February 2014 issue of the AVOIDING LIABILITY BULLETIN, I raised many questions for the reader’s thought, research, and discussion with colleagues. The questions were on a variety of topics, arranged alphabetically. Some of those questions, with my answers, follow. The answers are brief and are not intended to be a thorough exploration of the topic. (In the March 2014 issue of the AVOIDING LIABILITY BULLETIN, I answered questions raised on the topics of barter, neglect, violence toward patient, and taking a zoo trip with patient.)
What agency of government investigates patient complaints for a violation of HIPAA’s Privacy Rule? Is it a complete defense to such a complaint that the practitioner is and was not a “covered entity?”
DISCUSSION: The Office for Civil Rights (OCR), part of the U.S. Department of Health and Human Services (HHS), is the governmental agency that receives and investigates patient complaints alleging violations of the Privacy Rule (part of the federal regulations promulgated by HHS to implement HIPAA). In order for OCR to acquire jurisdiction over an individual mental health practitioner, the practitioner would have to be a “covered entity.” I assume in this brief article that the reader knows whether or not he or she is a “covered entity.” This determination is critical because a covered entity (which may be a sole proprietor of a health care practice) would be governed by the Privacy Rule, while a practitioner who is not a covered entity will be governed by state laws and regulations.
Thus, when federal agents visit your practice or contact you to discuss a complaint alleging a violation of the patient’s confidentiality or privacy, if you are a not a covered entity (a/k/a covered provider), the “feds” should have no further involvement with you. The issue of whether or not you were, at the time of the alleged violation, a covered entity would of course be explored, and if it was determined that you were not a covered entity, this should operate as a complete defense to the complaint – at least with respect to the federal government’s intervention. The complainant would likely be referred to the state licensing authority to investigate the complaint involving privacy and confidentiality.
Consumer complaints involving the right of the patient to access records (e.g., the refusal by the practitioner to allow access or the limiting of full access) may also be the subject of scrutiny by OCR since the Privacy Rule addresses patient access to records. As with confidentiality and privacy complaints, the “feds” would not have jurisdiction if the practitioner was not a “covered provider/entity.”