Industries & Practices

Health Care Industry


    HIPAA Regulations: The Administrative Requirements: Complaints to the Covered Entity - § 164.530(d)

    As Contained in the HHS HIPAA Rules


    HHS Regulations
    The Administrative Requirements: Complaints to the Covered Entity - § 164.530(d)


    1. Standard: complaints to the covered entity. A covered entity must provide a process for individuals to make complaints concerning the covered entity’s policies and procedures required by this subpart and subpart D of this part or its compliance with such policies and procedures or the requirements of this subpart or subpart D of this part.

    2. Implementation specification: documentation of complaints. As required by paragraph (j) of this section, a covered entity must document all complaints received, and their disposition, if any.


    HHS Description
    The Administrative Requirements: Complaints to the Covered Entity


    In § 164.518(d) of the NPRM, we proposed to require covered entities to have a mechanism for receiving complaints from individuals regarding the health plan's or provider's compliance with the requirements of this proposed rule. We did not require that the health plan or provider develop a formal appeals mechanism, nor that "due process" or any similar standard be applied. Additionally, there was no requirement to respond in any particular manner or time frame.

    We proposed two basic requirements for the complaint process. First, the covered health plan or health care provider would be required to identify in the notice of information practices a contact person or office for receiving complaints. Second, the health plan or provider would be required to maintain a record of the complaints that are filed and a brief explanation of their resolution, if any.

    In the final rule, we retain the requirement for an internal complaint process for compliance with this rule, including the two basic requirements of identifying a contact person and documenting complaints received and their dispositions, if any. We expand the scope of complaints that covered entities must have a means of receiving to include complaints concerning violations of the covered entity’s privacy practices, not just violations of the rule. For example, a covered entity must have a mechanism for receiving a complaint that patient information is used at a nursing station in a way that it can also be viewed by visitors to the hospital, regardless of whether the practices at the nursing stations might constitute a violation of this rule.


    HHS Response to Comments Received
    The Administrative Requirements: Complaints to the Covered Entity


    Comment: Several commenters felt that some form of due process is needed when it comes to internal complaints. Specifically, they wanted to be assured that the covered entity actually hears the complaints made by the individual and that the covered entity resolves the complaint within a reasonable time frame. Without due process the commenters felt that the internal complaint process is open ended. Some commenters wanted the final rule to include an appeals process for individuals if a covered entity's determination in regards to the complaint is unfavorable to the individual.

    Response: We do not require covered entities to implement any particular due process or appeals process for complaints, because we are concerned about the burden this could impose on covered entities. We provide individuals with an alternative to take their complaints to the Secretary. We believe that this provides incentives for covered entities to implement a complaint process that resolves complaints to individuals' satisfaction.

    Comment: Some commenters felt that the individual making the complaint should exhaust all other avenues to resolve their issues before filing a complaint with the Secretary. A number of commenters felt that any complaint being filed with the Secretary should include documentation of the reviews done by the covered entity.

    Response: We reject these suggestions, for two reasons. First, we want to avoid establishing particular process requirements for covered entities' complaint programs. Also, this rule does not require the covered entity to share any information with the complainant, only to document the receipt of the complaint and the resolution, if any. Therefore, we cannot expect the complainant to have this information available to submit to the Secretary. Second, we believe the individual making the complaint should have the right to share the complaint with the Secretary at any point in time. This approach is consistent with existing civil rights enforcement programs for which the Department is responsible. Based on that experience, we believe that most complaints will come first to covered entities for disposition.

    Comment: Some commenters wanted the Department to prescribe a minimum amount of time before the covered entity could dispose of the complaints. They felt that storing these complaints indefinitely would be cumbersome and expensive.

    Response: We agree, and in the final rule require covered entities to keep all items that must be documented, including complaints, for at least six years from the date of creation.

    Comments: Some commenters objected to the need for covered entities to have at least one employee, if not more, to deal with complaints. They felt that this would be costly and is redundant in light of the designation of a contact person to receive complaints.

    Response: We do not require assignment of dedicated staff to handle complaints. The covered entity can determine staffing based on its needs and business practices. We believe that consumers need one clear point of contact for complaints, in order that this provision effectively inform consumers how to lodge complaints and so that the compliant will get to someone who knows how to respond. The contact person (or office) is for receipt of complaints, but need not handle the complaints.