Policy/Memo 114

Number: Policy Memo 114
Date Issued: April 14, 2003
Policy File Ref: A1810
Subject: HIPAA Privacy Policy and Administrative Requirements

PURPOSE:

To issue instructions to EBD workforce members regarding the process for individuals to file complaints about EBD's privacy policies and procedures, its compliance with those policies and procedures, or its compliance with the HIPAA regulations.

Policy:

The Notice of Privacy Practices available to individuals shall include a brief description of how individuals may file a complaint regarding EBD’s privacy policies, its compliance with such policies, or its compliance with the HIPAA privacy requirements.

A complaint concerning any of EBD’s privacy policies and procedures, or compliance with such policies and procedures, will be handled by the EBD Complaint Official in accordance with the applicable privacy policies and procedures. Appeals of the Complaint Official’s determination will be reviewed and decided by the Department’s HIPAA Officer.

There shall be no retaliation against any individual for having filed or assisted in the filing of a complaint.

Procedure:

Complaints from Individuals (non-workforce members)
As indicated in NYSHIP’s Notice of Privacy Practices, individuals should contact the Complaint Official if they would like to file a complaint regarding EBD’s privacy policies, its compliance with such policies, or its compliance with the HIPAA privacy requirements. The complaints should be submitted in writing within 180 days of when the individual learned of the problem.

Complaints Received via Telephone or In Person
Staff members should instruct any individual wishing to file a complaint regarding EBD’s privacy policies, its compliance with such policies, or its compliance with the HIPAA privacy requirements to submit the complaint in writing to the designated EBD Complaint Official.

Complaints Received in Writing
All written complaints regarding EBD’s privacy policies, its compliance with such policies, or its compliance with the HIPAA privacy requirements should be forwarded directly to the EBD Complaint Official. All complaints must be submitted in writing, must specify the subject of the complaint, and must describe the acts or omissions believed to be in violation of the HIPAA privacy standards, or in violation of the EBD privacy policies and procedures. The complaint must also include the individual’s name, address, telephone number and social security number, and the date the individual learned of the problem. A complaint must be filed within 180 days of when the Complainant knew or should have known that the act or omission complained of occurred, unless this time limit is waived by the Complaint Official for good cause shown.

Complaints from Individuals regarding an Insurer or HMO
If an individual wishes to file a complaint about one of the contracted NYSHIP insurers, HMOs or Business Associates, staff should refer the individual to the EBD Complaint Official. The Complaint Official shall document the details of the complaint and provide the appropriate phone number and office or official point of contact at the vendor. The EBD Complaint Official shall involve other staff as necessary.

Complaints from EBD Staff
An EBD employee who is aware of a potential violation of the HIPAA regulations by EBD, an EBD staff member or one of EBD’s business associates should report the violation to his/her supervisor, who in turn should report the incident to the EBD Complaint Official. If reporting directly to the supervisor is not practicable, or if the supervisor is the person responsible for the alleged violation, the staff member should report the violation directly to EBD’s Complaint Official.

Any supervisor who receives information about a potential violation of HIPAA regulations should report the incident immediately to the EBD Complaint Official.

Investigations by the Complaint Official
The Complaint Official shall investigate any complaints received; an investigation may include a review of the pertinent policies, procedures, or practices of the health care component, and of the circumstances regarding any alleged acts or omissions concerning compliance. The circumstances of any alleged HIPAA rights violation shall be investigated, and if appropriate, reasonable steps shall be taken to mitigate the effects of any violation according to the Department’s policy on Mitigation of HIPAA violations. If the results of the investigation indicate that a workforce member made an unauthorized use or disclosure of PHI, or otherwise violated EBD’s privacy policies and procedures, such finding shall be reported to the workforce member’s supervisor and sanctions shall be applied as necessary and appropriate according to the Department’s policy on Sanctions for HIPAA violations.

The Complaint Official shall provide the Complainant with a timely, written decision that shall be communicated to the Complainant in a language and manner the complainant understands. The Complaint Official will document all complaints received and their disposition. The decision must inform the complainant of the right to appeal to the Department’s HIPAA Officer within 30 days of the date of the letter. Complainants appealing an adverse determination should be directed to submit their written appeal to the Department HIPAA Officer, Building 1 State Campus, Albany, NY 12239.

No individual will be retaliated against for filing a complaint.

Appeals of Complaints
The Department’s designated HIPAA Officer will review each valid appeal, conduct an investigation as necessary and respond to the complainant. The EBD Privacy Official will serve as the primary point of contact for the HIPAA Officer in the event of an appeal investigation. Division staff shall provide documentation and records relating to pertinent policies, procedures and practices of EBD, and any available information regarding the circumstances of the alleged acts or omissions concerning compliance. Division staff shall cooperate fully and shall comply with directions for procedural or policy modifications, if any, resulting from the disposition of the complaint. EBD policies and procedures may be amended as appropriate based on findings of the investigation.

Documentation
All complaints and their disposition shall be documented and maintained for a period of six (6) years after the date of the matter’s final disposition.