HIPAA Complaint Procedure ​​​​​​​for Protected Health Information (PHI)


HIPAA Complaint Procedure for Protected Health Information (PHI)

I. Purpose

The purpose of this procedure is to define a process for individuals to file a complaint if they suspect a potential violation of their own or some other person's rights regarding the privacy of health information under the Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 ("HIPAA").

II. Definitions

Protected Health Information – Information ("PHI") created by or received from a health care provider, health plan, employer, or health care clearinghouse that relates to the past, present, or future physical or mental condition of an individual; the provision of health care services to an individual; or the past, present, or future payment for the provision of health care services; and that either identifies the individual or provides a reasonable basis to believe that the information can be used to identify the individual. PHI does not include education records covered by the Family Educational Rights and Privacy Act; certain records of individuals 18 and older or who are enrolled in post-secondary education, as described at 20 U.S.C. 1232g(a)(4)(B)(iv); employment records held by a covered entity in its role as employer; and individually identifiable health information regarding a person who has been deceased for more than 50 years.

Complaint Form – Minimum information that must be collected on all complaints.

III. Applicability

This policy applies to covered University units that create or maintain PHI under HIPAA. Additionally, this policy will be used for complaints that originate within or are communicated to the University of North Carolina at Chapel Hill ("University") derived from an individual's interactions with a covered University unit or Business Associates of the covered University units; or from disclosures or uses of PHI between a covered University unit and other individuals, departments or units within the University; or from disclosures or uses of PHI by a Business Associate of a covered University unit.

IV. Procedure

Concerns about the University's privacy practices and those of covered University unit Business Associates may arise in a variety of contexts and may be received by many different persons at the University. It is important that the University respond to concerns and complaints in a timely manner. When a University representative (employee, volunteer, or student) hears or receives a concern, he/she should ask the complainant whether or not the complainant wishes to file a formal complaint and offer to assist the complainant with the form. Even if the person does not wish to file a complaint or provide identifying information, the University representative should proceed with the procedures outlined below.

A. Filing a Complaint

1. Non-University affiliated individuals (patients, families of patients, etc.)

Complaints of alleged privacy rights violations may be forwarded through multiple channels, such as telephone calls, letter via mail/email, or in person. If these complaints are received by a University employee, student, or volunteer, the person receiving the complaint will:

a. In response to a Telephone Call or In-Person Request to File a Complaint
  1. Complete the Privacy Complaint Form and immediately forward to the University HIPAA Privacy Officer, UNC-Chapel Hill, Information Technology Services, 440 W. Franklin St., CB #1150, Chapel Hill, NC 27599 or direct the individual to call the University Privacy Office at 919-962-6332.
  2. Offer to forward a copy of the complaint form to the Complainant.
b. In response to a Letter or Email (print out)
  1. Complete the Privacy Complaint Form and immediately forward to the University HIPAA Privacy Officer (see address above).
  2. Attach the written complaint to the complaint form.
c. In response to an Anonymous Complaint
  1. Complete the Privacy Complaint Form based on the information provided and immediately forward to the University HIPAA Privacy Officer (see address above).
  2. When possible, explain to the complainant that the University has an obligation to follow up on complaints whether or not they are anonymously filed.

2. University affiliated individuals (employees, students, and volunteers)

Call the University Privacy Office at 919.962.6332. Employees, students, and volunteers may also complete the Privacy Complaint Form and forward to the University Privacy Officer (see address above).

B. Receipt of Complaint

A complaint requires a Privacy Complaint Form to be received or generated by the University HIPAA Privacy Officer or his/her designee. Upon receipt of a complaint, the University Privacy Officer will initiate an investigation.

1. Initial review

All complaints will be initially reviewed by the University Privacy Officer or his/her designee to determine if the complaint alleges a violation of institutional established policies and procedures or other known regulations regarding the protection of individually identifiable health information. If there is no legitimate allegation, the University Privacy Officer will, when possible, contact the Complainant by letter and inform him/her of this finding within 60 days. All documentation will be maintained as prescribed in this policy

2. Complaints requiring further review

If there is a legitimate allegation, the University Privacy Officer or his/her designee will conduct a detailed investigation by reviewing the covered University unit practices (or that of the Business Associate), contacting employees, students, or volunteers as needed, working with the Security Officer (as applicable), and utilizing other University resources as needed. Upon conclusion of the investigation, the University Privacy Officer will, when possible, contact the Complainant by letter and inform him/her of the finding within 60 days.

3. 60-day time frame

In the event that this 60-day period cannot be met, the University Privacy Officer shall, when possible, communicate this determination to the Complainant in writing and include an estimated timeframe for completion of the investigation.

C. Outcome of Investigation

The purpose of the investigation is to determine the compliance of the University, Business Associates, and University affiliated individuals with University institutional policies and procedures implementing the privacy standards mandated by HIPAA. The University will mitigate, to the extent practicable, any risk of compromise of PHI and any resulting harmful effect that is known or discovered in violation of the University's policies and procedures or HIPAA's privacy requirements by the University or any of its Business Associates. In the event that disciplinary action is recommended, the University Privacy Officer or his/her designee will coordinate any action with the Office of the Provost, the Office of Human Resources, the Dean of Students, and department/unit heads, as appropriate.

D. Documentation

All complaints sent to the University Privacy Officer shall be documented in a format that includes all of the information contained on the Privacy Complaint Form. The University Privacy Officer will maintain all completed complaints' documentation for six years from the initial date of the complaint.

V. Coordinating Instructions

A. Covered University Unit Implementation

Covered University Units must use this policy, procedure and form or incorporate into existing policies, or develop covered University unit-specific policies, procedures and forms that comply with the guidance outlined above. In the event that further guidance is needed in developing these documents, the covered University unit may contact the University Privacy Officer.

B. Procedure Review, Revision, and Retention

All covered University unit-specific policies and procedures should be reviewed as needed and amended as necessary. Every complaint policy and procedure revision/replacement should be maintained a minimum of six years. Other University requirements may stipulate a longer retention period.

100% helpful - 1 review


Article ID: 132086
Thu 4/8/21 9:23 PM
Thu 7/29/21 5:03 PM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
07/14/2020 4:39 PM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Chief Privacy Officer and Associate University Counsel
Last Review
Date on which the most recent document review was completed.
07/14/2020 4:39 PM
Last Revised
Date on which the most recent changes to this document were approved.
11/01/2015 12:00 AM
Next Review
Date on which the next document review is due.
09/30/2021 12:00 AM
Date on which the original version of this document was first made official.
11/01/2015 12:00 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Institutional Privacy Office