NRPM: Standards for Privacy of Individually Identifiable Health Information. b. Individual complaints and compliance reviews.


We are proposing in § 164.522(b) that individuals have the right to file a complaint with the Secretary if they believe that a covered plan or provider has failed to comply with the requirements of this subpart. Because individuals would have received notice, pursuant to proposed § 164.512, of the uses and disclosures that the entity could make and of the entity’s privacy practices, they would have a basis for making a realistic judgment as to when a particular action or omission would be improper. The notice would also inform individuals how they could find out how to file such complaints. We thus consider the proposed complaint right to be one that could realistically be exercised by individuals, given the regulatory structure proposed.

We are concerned about the burden that handling the potential volume of such complaints would create for this Department, but we recognize that such a complaint mechanism would provide helpful information about the privacy practices of covered plans or providers and could serve to identify particularly troublesome compliance problems on an early basis.

The procedures proposed in this section are modeled on those used by the Department’s Office for Civil Rights, although they would be adapted to reflect the requirements of this subpart. We would require complainants to identify the entities and describe the acts or omissions alleged to be out of compliance and would require individuals to file such complaints within 180 days of those acts or omissions. We have tried to keep the requirements for filing complaints as minimal as possible, to facilitate use of this right. The Secretary would also attempt to keep the identity of complainants confidential, if possible. However, we recognize that it could be necessary to disclose the identity of complainants in order to investigate the substance of their complaints, and the rules proposed below would permit such disclosures.

The Secretary could promulgate alternative procedures for complaints based on agency-specific concerns. For example, to protect classified information, we may promulgate rules that would allow an intelligence community agency to create a separate body within that agency to receive complaints.

The Secretary would try to resolve complaints on an informal basis wherever possible. Where a resolution could not be reached, the Secretary could make a formal finding of noncompliance. However, resolution could occur, and an agreement reached with the covered entity, even after a finding that a violation occurred. The Secretary could use the finding as a basis to initiate an action under section 1176 of the Act or to refer the matter to the Department of Justice for prosecution under section 1177 of the Act. It should be recognized that the decision to initiate an action under either section of the law would be a discretionary one, and proposed § 164.522 would not require such prosecutorial action to be taken. Proposed § 164.522(e)(1)(ii) would, however, permit the use of findings made in connection with a complaint, group of complaints, or compliance review to be acted on in this fashion.

The rules proposed below also would provide that the Secretary would inform both the covered plan or provider and the complainant, whenever a decision was made on a complaint.

We are proposing in 164.522(c) that the Secretary could conduct compliance reviews to determine whether covered entities are in compliance. A compliance review could be based on information indicating a possible violation of this subpart even though a formal complaint has not been filed. As is the case with a complaint investigation, a compliance review may examine the policies, practices or procedures of a covered entity and may result in voluntary compliance or in a violation or no violation finding.