Guide to HIPAA Privacy Regulations

12.	COMPLIANCE AND ENFORCEMENT:

160.304

12.1.

Principals for Achieving Compliance:

12.1.1.	Cooperation: Secretary of HHS will, to the extent practicable, seek cooperation of CEs in obtaining compliance with the regulations.
12.1.2.	Assistance: Secretary of HHS may provide technical assistance to CEs to help them comply voluntarily with the regulations.

160.306

12.2.

Complaints to the Secretary of HHS:

12.2.1.

Right to file complaint: A person who believes a CE is not complying with the regulations may file a complaint with the Secretary of HHS.

12.2.2.

Requirements for filing complaint:

12.2.2.1.	Complaint must be filed in writing, either on paper or electronically;
12.2.2.2.	Complaint must name entity that is the subject of the complaint and describe acts or omissions believed to be in violation of the regulations;
12.2.2.3.	Complaint must be filed within 180 days of when complainant knew or should have known of the act or omission, unless the time limit is waived by the Secretary of HHS for good cause shown.

12.2.3

Investigation: Secretary of HHS may investigate complaints, which may include review of policies, procedures, or practices of the CE and of the circumstances regarding the alleged acts or omissions.

160.308

12.3.

Compliance Reviews: Secretary of HHS may conduct compliance reviews to determine whether CEs are complying with applicable requirements of the regulations.

160.310

12.4.

Responsibilities of CE:

12.4.1.

Provide records and compliance reports: CE must keep such records and submit such compliance reports, in such time and manner and containing such information, as the Secretary of HHS may determine to be necessary to enable the Secretary to ascertain whether CE has complied and is complying with the regulations.

12.4.2.

Cooperate with complaint investigations and compliance reviews: CE must cooperate with the Secretary of HHS if the Secretary undertakes an investigation or compliance review of the policies, procedures or practices of a CE.

12.4.3.

Permit access to information:

12.4.3.1.	CE must permit access by the Secretary of HHS during normal business hours to its facilities, books, records, accounts, and other sources of information, including PHI, that are pertinent to ascertaining compliance with the regulations. If the Secretary determines that exigent circumstances exist, a CE must permit access at any time, without notice.
12.4.3.2.	If any of the information required of a CE hereunder is in the exclusive possession of another agency, institution, or person that fails or refuses to furnish the information, the CE must so certify, and set forth the efforts it undertook to obtain the information.
12.4.3.3.	PHI obtained by the Secretary of HHS in connection with an investigation or compliance review will not be disclosed by the Secretary, except if necessary for ascertaining or enforcing compliance with the applicable requirements of the regulations.

160.312

12.5.

Secretarial Action Regarding Complaints and Compliance Reviews:

12.5.1.

Resolution where noncompliance is indicated:

12.5.1.1.	If an investigation or compliance review indicates a failure to comply, the Secretary of HHS will so inform the CE and, if the matter arose from a complaint, the complainant, in writing and attempt to resolve the matter by informal means whenever possible.
12.5.1.2.	If the Secretary of HHS finds the CE is not in compliance and determines that the matter cannot be resolved informally, the Secretary may issue to the CE, and, if the matter arose from a complaint, the complainant, written findings documenting the noncompliance.

12.5.2.

Resolution when no violation is found: If, after an investigation or compliance review, the Secretary of HHS determines that further action is not warranted, the Secretary will so inform the CE and, if the matter arose from a complaint, the complainant, in writing.

NOT COVERED: Transition Provisions [164.532]; Compliance Dates [164.534]

Table of Contents | Index | HIPAA Statewide Project