In § 164.518(d) of the NPRM, we proposed to require covered entities to have a mechanism for receiving complaints from individuals regarding the health plan's or provider's compliance with the requirements of this proposed rule. We did not require that the health plan or provider develop a formal appeals mechanism, nor that "due process" or any similar standard be applied. Additionally, there was no requirement to respond in any particular manner or time frame.
We proposed two basic requirements for the complaint process. First, the covered health plan or health care provider would be required to identify in the notice of information practices a contact person or office for receiving complaints. Second, the health plan or provider would be required to maintain a record of the complaints that are filed and a brief explanation of their resolution, if any.
In the final rule, we retain the requirement for an internal complaint process for compliance with this rule, including the two basic requirements of identifying a contact person and documenting complaints received and their dispositions, if any. We expand the scope of complaints that covered entities must have a means of receiving to include complaints concerning violations of the covered entity's privacy practices, not just violations of the rule. For example, a covered entity must have a mechanism for receiving a complaint that patient information is used at a nursing station in a way that it can also be viewed by visitors to the hospital, regardless of whether the practices at the nursing stations might constitute a violation of this rule.