Wednesday, September 26, 2012
Filing a complaint with HHS about a HIPAA violation: a warning about "how (not) to"
I posted in June about the fact that my social security number (and possibly other personal information) had been downloaded to an unknown site in Eastern Europe as part of a large security breach from the Utah state health department, http://lawprofessors.typepad.com/healthlawprof_blog/2012/06/i-do-notusually-tell-personal-stories-in-scholarship-but-this-is-a-blog-and-imexperimenting-i-hope-my-story-will-beof-m.html. In connection with that breach, I have filed a complaint with the Office for Civil Rights at HHS (OCR).
I thought readers might like to know, however, that the process of complaining about a HIPAA violation to OCR is cumbersome indeed. There are forms available on line, here, http://www.hhs.gov/ocr/privacy/hipaa/complaints/hipcomplaintform.pdf. You can open them, and fill in information, but you can't save them. If you close the form, you lose all the data. You also can't file them online--you have to print them out and fax them off. (You are helpfully told, however, to "print out a copy for your records.") I finally figured out that if you save the form to notepad before you fill it out, you can then email it to HHS--but this required a telephone call to the appropriate regional office of HHS.
When I pointed out to OCR that this process is not exactly user-friendly, they indicated that they are "working on it." Imagine someone without a home computer, or a home fax machine, or a home printer, using public library computers in the effort to reach OCR about what they regard as a significant problem with their health information. Surely in a world of blue buttons and digital Medicare strategies, see Responsive Design and the New Medicare.gov, http://www.hhs.gov/digitalstrategy/responsive-design-and-new-medicaregov.html, the ability to file a complaint about possible violations of health information security or confidentality should be an easier online process.