or retaliatory acts, refraining from (HIPAA)
entities may not "intimidate, threaten, coerce, discriminate
against, or take other retaliatory action" against:
- patients who
are attempting to exercise their rights under HIPAA, or
who file a complaint
about a covered entity's alleged failure in regard to those
such as members of the covered entity's workforce,
who testify, assist or otherwise participate in an investigation
of a possible HIPAA violation.
As regards the
latter, individuals must be able to oppose any practice where
they have a "good faith belief" that the practice
is unlawful, as long as the method of opposition is "reasonable"
and does not involve a disclosure of protected
health information (PHI).
Where use or disclosure
of PHI is considered essential to establish a violation, that
must be limited to the minimum
necessary to achieve the reporting.
Patients and workforce
members may elect to proceed directly to the US Department
of Health and Human Services (DHHS) with their complaints.
Typically, however, an "internal" report of problems
will be made first to the covered entity's privacy
officer/office, and then proceed to DHHS only if that
response is not satisfactory.
should consider having a toll-free, always-open "hotline"
that facilitates the anonymous reporting of possible violations.
Non-intimidation and non-retaliation may be the organization's
policy, and it may even be the reality. But workforce members
can still be afraid of the consequences of blowing the whistle
on a suspect practice.