In proposed § 164.518(d), we would require covered plans and providers to have some mechanism for receiving complaints from individuals regarding the covered plan’s or provider’s compliance with the requirements of this proposed rule. The covered plan or provider would be required to accept complaints about any aspect of their practices regarding protected health information. For example, individuals would be able to file a complaint when they believe that protected health information relating to them has been used or disclosed improperly, that an employee of the plan or provider has improperly handled the information, that they have wrongfully been denied access to or opportunity to amend the information, or that the entity’s notice does not accurately reflect its information practices. We would not require that the entity develop a formal appeals mechanism, nor that “due process” or any similar standard be applied. We would not require that covered entities respond in any particular manner or time frame. We are proposing two basic requirements for the complaint process. First, the covered plan or provider would be required to identify a contact person or office in the notice of information practices for receiving complaints. This person or office could either be responsible for handling the complaints or could put the individual in touch with the appropriate person within the entity to handle the particular complaint. See proposed § 164.512. This person could, but would not have to be, the entity’s privacy official. See § 164.518(a)(2). Second, the covered plan or provider would be required to maintain a record of the complaints that are filed and a brief explanation of the resolution, if any.
Covered plans and providers could implement this requirement through a variety of mechanisms based on their size and capabilities. For example, a small practice could assign a clerk to log in written and/or verbal complaints as they are received, and assign one physician to review all complaints monthly, address the individual situations and make changes to policies or procedures as appropriate. Results of the physician's review of individual complaints then could be logged by the clerk. A larger provider or health plan could choose to implement a formal appeals process with standardized time frames for response.
We considered requiring covered plans and providers to provide a formal internal appeal mechanism, but rejected that option as too costly and burdensome for some entities. We also considered eliminating this requirement entirely, but rejected that option because a complaint process would give covered plans or providers a way to learn about potential problems with privacy policies or practices, or training issues. We also hope that providing an avenue for covered plans or providers to address complaints would lead to increased consumer satisfaction. We believe this approach strikes a reasonable balance between allowing covered plans or providers flexibility and accomplishing the goal of promoting attention to improvement in privacy practices. If an individual and a covered plan or provider are able to resolve the individual’s complaint, there may be no need for the individual to file a complaint with the Secretary under proposed § 164.522(b). However, an individual has the right to file a complaint with the Secretary at any time. An individual may file a complaint with the Secretary before, during, after, or concurrent with filing a compliant with the covered plan or provider or without filing a complaint with the covered plan or provider.
We are considering whether modifications of these complaint procedures for intelligence community agencies may be necessary to address the handling of classified information and solicit comment on the issue.