HIPAA COMPLAINT RESPONSE

RESPONSE TO HHS OFFICE FOR CIVIL RIGHTS (OCR) COMPLAINT/INVESTIGATION

ORGANIZATION INFORMATION

Organization Name: [________________________________]

Address: [________________________________]

City, State, ZIP: [________________________________]

NPI (if applicable): [________________________________]

Phone: [________________________________]

Fax: [________________________________]

Email: [________________________________]

DESIGNATED CONTACTS

Privacy Officer:
Name: [________________________________]
Title: [________________________________]
Phone: [________________________________]
Email: [________________________________]

Security Officer:
Name: [________________________________]
Title: [________________________________]
Phone: [________________________________]
Email: [________________________________]

Legal Counsel:
Name: [________________________________]
Firm: [________________________________]
Phone: [________________________________]
Email: [________________________________]

COMPLAINT/INVESTIGATION INFORMATION

OCR Transaction Number: [________________________________]

OCR Regional Office: [________________________________]

OCR Investigator Name: [________________________________]

OCR Investigator Contact: [________________________________]

Date Complaint Received: [__/__/____]

Response Deadline: [__/__/____]

Complaint Type:
☐ Privacy Rule Complaint
☐ Security Rule Complaint
☐ Breach Notification Rule Complaint
☐ Combined Privacy/Security Complaint
☐ Compliance Review (non-complaint based)

SECTION 1: COMPLAINT SUMMARY

1.1 Complainant Information (if provided)

Complainant Name: [________________________________]

Relationship to Organization:
☐ Patient
☐ Former Patient
☐ Employee
☐ Former Employee
☐ Business Associate
☐ Other: [________________________________]

1.2 Nature of Complaint

Date(s) of Alleged Violation: [__/__/____] to [__/__/____]

Summary of Allegations:

[________________________________]

[________________________________]

[________________________________]

[________________________________]

1.3 HIPAA Provisions at Issue

☐ 45 CFR § 164.502 - Uses and disclosures of PHI
☐ 45 CFR § 164.508 - Authorization requirements
☐ 45 CFR § 164.520 - Notice of Privacy Practices
☐ 45 CFR § 164.522 - Rights to request restrictions
☐ 45 CFR § 164.524 - Access to PHI
☐ 45 CFR § 164.526 - Amendment of PHI
☐ 45 CFR § 164.528 - Accounting of disclosures
☐ 45 CFR § 164.530 - Administrative requirements
☐ 45 CFR § 164.308 - Administrative safeguards (Security)
☐ 45 CFR § 164.310 - Physical safeguards (Security)
☐ 45 CFR § 164.312 - Technical safeguards (Security)
☐ 45 CFR § 164.404 - Breach notification
☐ Other: [________________________________]

SECTION 2: INTERNAL INVESTIGATION

2.1 Investigation Team

2.2 Investigation Timeline

2.3 Document Preservation

Document Preservation Notice Issued: ☐ Yes ☐ No

Date Issued: [__/__/____]

Departments/Individuals Notified:

☐ All workforce members with knowledge of incident
☐ IT Department
☐ Medical Records
☐ Billing Department
☐ Human Resources
☐ Other: [________________________________]

Documents to be Preserved:

☐ Medical records related to complainant
☐ Access logs and audit trails
☐ Email communications
☐ Policies and procedures in effect at time of incident
☐ Training records
☐ Business Associate Agreements
☐ Notice of Privacy Practices
☐ Authorization forms
☐ Incident reports
☐ Other: [________________________________]

2.4 Evidence Collected

2.5 Witness Interviews

SECTION 3: FINDINGS OF INTERNAL INVESTIGATION

3.1 Factual Findings

Summary of Facts Established:

[________________________________]

[________________________________]

[________________________________]

[________________________________]

3.2 Determination

Did a HIPAA violation occur?

☐ No violation occurred - allegations are unfounded
☐ No violation occurred - actions were permitted under HIPAA
☐ Technical violation occurred but no harm resulted
☐ Violation occurred - corrective action taken
☐ Violation occurred - corrective action in progress
☐ Investigation inconclusive

Explanation:

[________________________________]

[________________________________]

[________________________________]

3.3 Root Cause Analysis (if violation found)

Root Cause(s) Identified:

☐ Policy/procedure deficiency
☐ Training deficiency
☐ Technical safeguard failure
☐ Physical safeguard failure
☐ Administrative safeguard failure
☐ Human error
☐ Intentional misconduct
☐ Business associate failure
☐ Other: [________________________________]

Detailed Root Cause Analysis:

[________________________________]

[________________________________]

[________________________________]

SECTION 4: RESPONSE TO OCR

4.1 Response Cover Letter

Date: [__/__/____]

Via: ☐ OCR Portal ☐ Email ☐ Certified Mail ☐ Other: [________________________________]

To:
U.S. Department of Health and Human Services
Office for Civil Rights
[________________________________]
[________________________________]

Re: OCR Transaction Number: [________________________________]

Dear OCR Investigator:

[________________________________] ("Organization") submits this response to the complaint filed with the Office for Civil Rights on [__/__/____], Transaction Number [________________________________].

We have conducted a thorough internal investigation and provide the following information in response to your inquiry.

4.2 Organizational Background

[________________________________]

[________________________________]

[________________________________]

4.3 Response to Specific Allegations

Allegation 1: [________________________________]

Response:

[________________________________]

[________________________________]

[________________________________]

Supporting Documentation: [________________________________]

Allegation 2: [________________________________]

Response:

[________________________________]

[________________________________]

[________________________________]

Supporting Documentation: [________________________________]

Allegation 3: [________________________________]

Response:

[________________________________]

[________________________________]

[________________________________]

Supporting Documentation: [________________________________]

4.4 Policies and Procedures in Effect

Relevant Policies/Procedures:

4.5 Training Documentation

Training Records Provided:

☐ HIPAA Privacy training records for relevant workforce members
☐ HIPAA Security training records for relevant workforce members
☐ Training curricula/materials in effect at time of incident
☐ Other: [________________________________]

4.6 Corrective Actions Taken

SECTION 5: CORRECTIVE ACTION PLAN

5.1 Immediate Actions Taken

☐ Disciplinary action against responsible workforce member(s)
☐ Terminated access to PHI for responsible individual(s)
☐ Notified affected individual(s)
☐ Mitigated harm to affected individual(s)
☐ Secured PHI at issue
☐ Other: [________________________________]

5.2 Short-Term Corrective Actions (0-30 days)

5.3 Long-Term Corrective Actions (30-180 days)

5.4 Policy and Procedure Updates

5.5 Additional Training

5.6 Technical/Operational Changes

SECTION 6: DOCUMENTATION SUBMITTED TO OCR

6.1 Document Index

6.2 Privilege Log (if applicable)

SECTION 7: CLOSING STATEMENT

The Organization takes its HIPAA compliance obligations seriously and is committed to protecting the privacy and security of protected health information. We have cooperated fully with this investigation and have taken [or will take] all necessary steps to address the issues identified.

We respectfully request that OCR close this matter based on the information provided herein demonstrating:

☐ No violation occurred
☐ Violation has been corrected and appropriate corrective actions implemented
☐ Technical assistance is sufficient to resolve the matter

We remain available to provide any additional information OCR may require. Please do not hesitate to contact the undersigned with any questions.

SIGNATURES

Prepared by:

Signature: [________________________________]

Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

Reviewed by Legal Counsel:

Signature: [________________________________]

Name: [________________________________]

Firm: [________________________________]

Date: [__/__/____]

Authorized Representative:

Signature: [________________________________]

Name: [________________________________]

Title: [________________________________]

Date: [__/__/____]

INTERNAL TRACKING - DO NOT SUBMIT TO OCR

Response Tracking

Resolution

Case Disposition:
☐ Closed - No violation found
☐ Closed - Technical assistance provided
☐ Closed - Corrective action obtained
☐ Resolution Agreement/Corrective Action Plan
☐ Civil Money Penalty
☐ Other: [________________________________]

Date Closed: [__/__/____]

SOURCES AND REFERENCES

• HHS How OCR Enforces HIPAA
• HHS Filing a Complaint
• HHS HIPAA Complaint Process
• HIPAA Journal - How to Report a HIPAA Violation