Title
The University of North Carolina at Chapel Hill Procedure for HIPAA Complaints
I. Purpose
The purpose of this procedure is to define a process for individuals to file a complaint if they suspect a potential violation of their own or some other person's rights regarding the privacy of health information under the Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 ("HIPAA").
II. Definitions
Protected Health Information ("PHI") – Information created by or received from a health care provider, health plan, employer, or health care clearinghouse that relates to the past, present, or future physical or mental condition of an individual; the provision of health care services to an individual; or the past, present, or future payment for the provision of health care services; and that either identifies the individual or provides a reasonable basis to believe that the information can be used to identify the individual. PHI does not include education records covered by the Family Educational Rights and Privacy Act; certain records of individuals 18 and older or who are enrolled in post-secondary education, as described at 20 U.S.C. 1232g(a)(4)(B)(iv); employment records held by a covered entity in its role as employer; and individually identifiable health information regarding a person who has been deceased for more than 50 years.
Complaint Form – Minimum information that must be collected on all complaints.
III. Applicability
This policy applies to the University of North Carolina at Chapel Hill ("University") Covered Components that create or maintain protected health information ("PHI") under HIPAA. Additionally, this policy will be used for complaints that originate within or are communicated to the University derived from an individual's interactions with a Covered Component or Business Associates of the Covered Components; or from disclosures or uses of PHI between a Covered Component and other individuals, departments or units within the University; or from disclosures or uses of PHI by a Business Associate of a Covered Component.
IV. Procedure
Concerns about the University's privacy practices and those of Covered Component Business Associates may arise in a variety of contexts and may be received by many different persons at the University. It is important that the University respond to concerns and complaints in a timely manner. When a University representative (employee, volunteer, or student) hears or receives a concern, he/she should ask the complainant whether or not the complainant wishes to file a formal complaint and offer to assist the complainant with the form. Even if the person does not wish to file a complaint or provide identifying information, the University representative should proceed with the procedures outlined below.
A. Filing a Complaint
1. Non-University affiliated individuals (patients, families of patients, etc.)
Complaints of alleged privacy rights violations may be forwarded through multiple channels, such as telephone calls, letter via mail/email, or in person. If these complaints are received by a University employee, student, or volunteer, the person receiving the complaint will:
a. In response to a Telephone Call or In-Person Request to File a Complaint
- Complete the Privacy Complaint Form and immediately forward to the University's Chief Privacy Officer, UNC-Chapel Hill, Institutional Privacy Office, 103 Airport Dr., Ste. 106, Chapel Hill, NC 27599 CB# 1025 or direct the individual to call the University Institutional Privacy Office at 919-962-6332.
- Offer to forward a copy of the complaint form to the Complainant.
b. In response to a Letter or Email (print out)
- Complete the Privacy Complaint Form and immediately forward it to the University's Chief Privacy Officer (see address above).
- Attach the written complaint to the complaint form.
c. In response to an Anonymous Complaint
- Complete the Privacy Complaint Form based on the information provided and immediately forward it to the University's Chief Privacy Officer (see address above).
- When possible, explain to the complainant that the University has an obligation to follow up on complaints whether or not they are anonymously filed.
2. University affiliated individuals (employees, students, and volunteers)
Call the University's Institutional Privacy Office at 919.962.6332. Employees, students, and volunteers may also complete the Privacy Complaint Form and forward it to the University's Chief Privacy Officer (see address above).
B. Receipt of Complaint
A complaint requires a Privacy Complaint Form to be received or generated by the University's Chief Privacy Officer or his/her designee. Upon receipt of a complaint, the University's Chief Privacy Officer will initiate an investigation.
1. Initial review
All complaints will be initially reviewed by the University's Chief Privacy Officer or his/her designee to determine if the complaint alleges a violation of institutional established policies and procedures or other known regulations regarding the protection of individually identifiable health information. If there is no legitimate allegation, the University's Chief Privacy Officer will, when possible, contact the Complainant by letter and inform him/her of this finding within 60 days. All documentation will be maintained as prescribed in this policy
2. Complaints requiring further review
If there is a legitimate allegation, the University's Chief Privacy Officer or his/her designee will conduct a detailed investigation by reviewing the Covered Component practices (or that of the Business Associate), contacting employees, students, or volunteers as needed, working with the University's Chief Information Security Officer (as applicable), and utilizing other University resources as needed. Upon conclusion of the investigation, the University's Chief Privacy Officer will, when possible, contact the Complainant by letter and inform him/her of the finding within 60 days.
3. 60-day time frame
In the event that this 60-day period cannot be met, the University's Chief Privacy Officer shall, when possible, communicate this determination to the Complainant in writing and include an estimated timeframe for completion of the investigation.
C. Outcome of Investigation
The purpose of the investigation is to determine the compliance of the University, Business Associates, and University affiliated individuals with University institutional policies and procedures implementing the privacy standards mandated by HIPAA. The University will mitigate, to the extent practicable, any risk of compromise of PHI and any resulting harmful effect that is known or discovered in violation of the University's policies and procedures or HIPAA's privacy requirements by the University or any of its Business Associates. In the event that disciplinary action is recommended, the University's Chief Privacy Officer or his/her designee will coordinate any action with the Office of the Provost, the Office of Human Resources, the Dean of Students, and department/unit heads, as appropriate.
D. Documentation
All complaints sent to the University's Chief Privacy Officer shall be documented in a format that includes all of the information contained on the Privacy Complaint Form. The University's Chief Privacy Officer will maintain all completed complaints' documentation for six years from the initial date of the complaint.
V. Coordinating Instructions
A. Covered Component Implementation
Covered Components must use this policy, procedure and form or incorporate into existing policies, or develop covered University unit-specific policies, procedures and forms that comply with the guidance outlined above. In the event that further guidance is needed in developing these documents, the Covered Component may contact the University's Institutional Privacy Office.
B. Procedure Review, Revision, and Retention
All Covered Component-specific policies and procedures should be reviewed as needed and amended as necessary. Every complaint policy and procedure revision/replacement should be maintained a minimum of six years. Other University requirements may stipulate a longer retention period.