HIPAA Privacy and Confidentiality Complaints Policy

Policy: HIPAA Privacy and Confidentiality Complaints

Policy Number: 201 Policy Section: Compliance
Owner: Compliance Officer Approved By: Paul Vogelman, COO
Effective Date: 2/03/2022 Date of Last Review: 3/23/2023


SUD Specialty Group -- CA; Mental Health Specialty Group, P.A.; Mental Health Specialty Group NJ, PC; and Mental Health Specialty Group KS, P.A. (collectively, the "Group") contracts with Path CCM, Inc. d/b/a Rula Health ("Rula") for management and administrative support services. This policy applies to the Group and Rula.


Policy Statement

This policy outlines the mechanism for reporting complaints regarding compliance with privacy policies and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.


This policy applies to all team members. For purposes of this policy, the Group’s and Rula’s team members include individuals who would be considered part of the workforce such as employees, independent contractors, business team members, and other persons whose work performance is under the direct purview of Rula or the Group’s business practices. 



Breach: is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.



  1. Anyone may file a complaint regarding the privacy policies and practices, or if they believe a breach has occurred. 
  1. The Privacy Officer or the U.S. Department of Health and Human Services Secretary may receive privacy complaints. 
  2. The Notice of Privacy Practices details how an individual may make a complaint. 
  3. The complaint must be documented in writing within 180 day of the occurrence. 
    1. If the individual is unable or unwilling to submit the complaint in writing, the Privacy Officer shall ask the individual to explain the complaint in sufficient detail to enable the Privacy Officer to investigate, review, and resolve the complaint. 
    2. The Privacy Officer will document the complaint using the HIPAA Privacy Breach Report. 


  1. The Privacy Officer is responsible for the investigation of all privacy complaints that are filed. 
    1. Any team member that becomes aware of a privacy complaint shall promptly report this information to the Privacy Officer. 
    2. The Privacy Officer will involve the Security Officer or the Compliance Officer as needed based on the nature of the complaint. 
    3. The Privacy Officer will investigate the complaint and provide a written response to the complainant within 30 days from the date the complaint was filed. 
    4. Documentation of the complaint will be retained in accordance with the Records Retention and Destruction policy. Complaints are not considered part of the patient’s designated record set and as such will be filed separately. 
    5. If the Privacy Officer, or authorized representative determines that a breach occurred, the HIPAA Privacy Breach Reporting policy will be followed. 
  2. The Group and Rula’s team members will not retaliate against anyone for exercising rights provided by the Privacy Rule, including filing a complaint, or assisting in an investigation by Health and Human Services or other appropriate authority, or for opposing an act or practice that the patient believes in good faith violates the Privacy Rule. Patients are not required to waive any right, including the right to file a complaint under the Privacy Rule as a condition for treatment or payment. 
  3. Upon determination that one or more  team members has failed to comply with the privacy policies or practices, or violated the Privacy Rule, disciplinary action, up to and including termination may/will be enforced/sought. 

Attachments:  None

Was this article helpful?

0 out of 0 found this helpful