A Covered Entity (CE) Must Have an Established Complaint Process
In accordance with the Health Insurance Portability and Accountability Act (HIPAA), all Covered Entities (CEs) are required to have an established complaint process.
A Covered Entity is any organization or individual, such as a health plan, health care provider, or health care clearinghouse, that transmits, processes, or stores Protected Health Information (PHI) in electronic form. These entities are subject to HIPAA regulations and must ensure that appropriate measures are taken to protect patients’ PHI.
Under HIPAA, a Covered Entity must have an established complaint process for investigations related to the handling of Protected Health Information. This includes notifying a patient, or their legal guardian, if their PHI has been breached. The complaint process must also provide guidance for individuals to file complaints regarding the mishandling of their PHI.
The complaint process must include the following elements:
- A clear description of the complaint process, including how it may be accessed and how a complaint should be filed.
- The contact information for the Covered Entity to which the complaint may be filed.
- Information about the investigation of the complaint.
- The timeframe for resolving the complaint.
- An explanation of the steps taken to resolve the complaint.
- A contact person designated by the Covered Entity to support the complaint process.
- Any sanctions imposed or corrective action taken in response to the complaint.
The complaint process must also provide patients with a way to follow up on their complaint. The process should include a way for the complainant to contact the Covered Entity to confirm that their complaint has been received, and to find out the status of the investigation.
The complaint process should be accessible to all patients, including those with disabilities. Covered Entities should also provide information on the complaint process to patients and visitors. This may include posting it in a public space such as the Covered Entity’s website or lobby.
A Covered Entity is legally required to have an established complaint process, and failure to do so can result in significant fines and penalties. Patients can also file a civil lawsuit against the Covered Entity for any violation of HIPAA’s Privacy or Security Rules.