Podcast: Addressing Patient Complaints About Privacy Violations
In the third and final episode of Florida Capital Conversations' healthcare privacy series, Tallahassee attorneys Shannon Hartsfield and Eddie Williams join hosts Nathan Adams and Mia McKown to discuss the challenges of patient privacy complaints under the Health Insurance Portability and Accountability Act (HIPAA). They explain that though complaints are common — often concerning alleged misuse or disclosure of protected health information — patients have limited legal recourse beyond filing complaints with providers, state boards or the U.S. Department of Health and Human Services, as HIPAA does not include a private right of action allowing patients to sue organizations directly.
The conversation highlights the importance of clear communication, robust HIPAA policies and thorough documentation in addressing and preventing privacy issues. Ms. Hartsfield and Mr. Williams emphasize timely responses to complaints, comprehensive staff training and proactive protocol updates as key strategies for building patient trust and resolving issues efficiently. As a whole, the series offers practical legal insight into privacy matters affecting Florida's healthcare landscape.
Nathan Adams: Welcome to Holland & Knight's Florida Capital Conversations podcast series. Today we kick off a three-part series on healthcare privacy. Our guests are Shannon Hartsfield and Eddie Williams. My name is Nathan Adams. My co-host is Mia McKown. We are so pleased that you have joined us today to consider another interesting issue bearing on state government affecting Florida business and communities. There is none better than Shannon Hartsfield and Eddie Williams to kick off our discussion of healthcare privacy. This session will address patient privacy complaints.
Mia McKown: Hi, Nate. It's good to be here on our third and final podcast on an assortment of privacy issues. And I'm glad to see Shannon and Eddie again today. In case people are just joining us in this series, could you give us a little bit about your background and also your experience dealing with patient complaints about privacy violations? And I think we can say as lawyers the clients probably hate getting complaints, but this is where some of our specialty comes in on how to deal with them. So I'm curious to hear a little bit about your experience and how, in this area, and how some situations and what kind of advice you've given to clients on this topic.
Shannon Hartsfield: Thanks Mia, this is Shannon Hartsfield. I've been practicing in the area of health law for my entire career. I'm board certified by the Florida Bar Board of Specialization in Health Law. And a lot of what I do day to day is helping clients comply with their privacy obligations and dealing with potential HIPAA breaches and things like that. And a [lot of] times, a patient complaint stems from some sort of problem within the system and is a good signal of something that may need to be addressed.
Eddie Williams: Hi, this is Eddie Williams, and I've been practicing in the healthcare area for well over 15 years now. Also dealing with the area of HIPAA and particularly providing guidance to clients as it relates to providing access to records when a patient or someone on their behalf make that request, as well as providing clients with guidance as it relates to the ownership and access to records of minors. So we definitely have a lot of experience in this area and dealing with complaints when they arise and particularly as it relates to providing access to individuals' information.
Shannon Hartsfield: And one of the reasons I wanted to talk about this today is that at the firm, we do get calls — it's been almost on a weekly basis — from patients who have had the privacy of their information compromised, or they feel that there has been some sort of breach of the privacy or security of their formation. And HIPAA does not provide what we call a private right of action. These patients cannot go and sue their provider for violating HIPAA. They would have to find some other positive action and that's not always easy. It's not easy to find attorneys who handle these types of matters, and we try our best to send them to people that might be able to help, but really they don't have a lot of recourse other than to file a complaint with their provider or the state medical board — for example, the Board of Medicine here in Tallahassee, or the Agency for Healthcare Administration, if it's a facility here in Tallahassee — or they can file a complaint with the federal Department of Health and Human Services Office for Civil Rights. There's an online form where they can go file a complain there, but there's not a whole lot they can do. So I think it's key for companies to try to avoid violating HIPAA, so it will reduce the number of complaints they have to deal with.
Mia McKown: I mean, I hear so much now, which I never heard before, just out in public and you're at the grocery store or living, you know, other than the legal setting and you hear people talk about, well, that violated my HIPAA rights, you now, and again, I think it goes to the point, Shannon, that sometimes there's a misunderstanding of what their rights are in that regard. So, Eddie, in your experience, what are some of the most common privacy complaints patients have in their healthcare settings? I know Shannon touched on some of them. But can you kind of further expand and tell our listeners a little bit more of what you've seen in this regard?
Eddie Williams: Well, we received complaints from individuals indicating that a provider misused or improperly disclosed their protected health information, not fully understanding that the provider could already have their consent to make such disclosure or they're allowed to make that disclosure on the hip of, say, forensic for treatment purposes or for some other healthcare operations purposes. But to the individual, they [may not have] a full understanding of the law and what an individual can do with their information. Sometimes, they didn't properly read the notices of privacy practice and the authorization form that they're signing. And so they may have consented and gave full authorization for the provider to do what they want to do with the information. So they have to be very careful and read what they're signing, as you indicated, when you go to a doctor's office or a hospital. It may be a lot of forms, maybe a lot of language, but you need to try to read them very carefully and ask questions. But a lot of the complaints are about an alleged misuse or improper disclosure of the information.
Nathan Adams: How should healthcare providers respond to privacy complaints to ensure patient trust and satisfaction?
Shannon Hartsfield: I think they need to respond rapidly and thoroughly and appropriately. The notice of privacy practices that should be on every covered end of these websites as well as provided to patients with whom they have a direct treatment relationship needs to include information about how to file a complaint, and ideally that document would prominently list the email address or number or whatever to contact the privacy official. It also has to indicate that they can file a complaint with the federal Department of Health and Human Services. But I would make it clear to patients that they could go to the covered entity first and potentially whatever the issue is can be addressed before it escalates.
Mia McKown: Trying to prevent that from escalating, what steps can be taken to investigate and resolve these privacy complaints quickly? I would assume that one thing would be probably to have a standard policy and procedure on what steps to take: This is what you do to investigate the complaint. So what has been your experience? I don't know, Shannon or Eddie, that you all have had, either individually or together, working together on these type of complaints, having, helping the businesses navigate this and to make sure they're investigating properly.
Eddie Williams: Yes, under HIPAA, covered entities are required to have a process in place to receive and manage complaints. So, they need to have those complaints, I guess, shared and indicated, routed to someone who will perform an actual investigation. They need to communicate with the individual to explain to them their complaint and investigation process so they understand that they're taking it serious and they treat this as a serious matter of this particular complaint. Again, investigate the complaint. They need to document the investigation throughout, including the findings, provide those findings to the individual even if they find that there was no violation of HIPAA, and provide that information to the individual. And if, as Shannon indicated, they want to provide or seek another avenue and file a complaint with the Secretary of the Department of Health and Human Services, then they have that right to do so. But again, providing the individual the information regarding your complaint process, notify them if there actually was a breach, ensuring that you follow your policies and procedures for handling such complaints, as well as, again, if there is a breach, the breach notification requirements.
Nathan Adams: Can you share examples of successful resolutions to patient privacy complaints?
Shannon Hartsfield: I think most of the resolutions involve something that we've referenced here, which is communication. Clear communication with the patient to understand what their concern is and how it can be resolved. For example, if they are wanting access to their information, the federal government has issued a ton of penalties and settlements relating to failure to provide timely access. And now we have new federal laws prohibiting information blocking. So it's even more important that you make sure that patients can access the data that they need. Other situations could involve just simple miscommunications. Someone may be requesting records for a loved one and they may or may not have a right to get that information. So it it's a matter of explaining that to them, explaining what you need in order to provide the information that they want. Sometimes patients don't understand what HIPAA allows. For example, they may be concerned that their neighbor who works for the doctor accessed their records. Well, potentially the neighbor had a very valid HIPAA-compliant reason to access their information. So it's a matter of communicating that with the patient. There are situations where patients have gone directly to the federal government and filed a complaint and the provider, the first time they hear about it is when they get a letter from the Office for Civil Rights or an email investigating the complaint. And so that requires the provider to go back through their records, try to figure out what happened and see if they did anything wrong. And if so, a lot of times they can correct it. They can interface with the patient and help the patient get whatever they need, and usually that will resolve the complaint on the federal side as well, and potentially avoid enforcement action.
Mia McKown: Of bottling all of this up and wrapping it up in the end, one of the things we want to do is to prevent a complaint in the first place. And we've touched on some of that in some of our discussion today, but to kind of wrap it up, what type of proactive measures can healthcare providers implement to minimize these type of privacy complaints, period? You know, what can they do going forward to hopefully stop the complaint from happening in the first place?
Eddie Williams: Well, as Shannon indicated, effective communication, you know, with your patients regarding their rights so they can understand how their information is being received and shared. You know, you need to do effective training with your workforce — the provider does — to ensure that, you now, everyone is informed on the requirements to protect their information, but also if there is a complaint, you know, they need to timely respond to those complaints, or if there's a request for access, they need to timely respond to those requests for access to the individual. If there's, you know, the individual needs to execute a particular form for, you know, someone on their behalf, try to explain that to them effectively. You know, that's the reason for the delay or the reason why you can't release the records. Most of the time when you have that effective communication, the individuals understand and the complaints are resolved. But again, documentation, documentation documentation. It's important that you document these complaints, document the resolutions and things of that nature, because heaven forbid if you receive a request from OCR to come in and investigate, you will have all this information readily available. So, you know, you need to ensure that you updated your policies or procedures and things of that nature. You have your documents ready and in place.
Shannon Hartsfield: And I would add, it's also really important to have robust HIPAA policies and procedures. So often we see situations where a provider will provide its privacy policy and it'll be five pages long. There really needs to be detailed policies about how you are going to respond to these complaints, and then you need to train your workforce with respect to those policies so that everybody knows where complaints need to go, who's supposed to address them, what needs to happen. So that's a really helpful thing as well.
Nathan Adams: Thanks to Shannon Hartsfield and Eddie Williams for their informative and interesting comments on healthcare privacy. And thanks to my co-host, Mia McKown. Most of all, thanks to you for joining us today. Please plan to join us for our next Florida Capital Conversations podcast. Have a great day.