Covered entities may not "intimidate, threaten, coerce, discriminate against, or take other retaliatory action" against:

• patients who are attempting to exercise their rights under HIPAA, or who file a complaint about a covered entity's alleged failure in regard to those rights; or

• individuals, such as members of the covered entity's workforce, who testify, assist or otherwise participate in an investigation of a possible HIPAA violation.

As regards the latter, individuals must be able to oppose any practice where they have a "good faith belief" that the practice is unlawful, as long as the method of opposition is "reasonable" and does not involve a disclosure of protected health information (PHI).

Where use or disclosure of PHI is considered essential to establish a violation, that must be limited to the minimum necessary to achieve the reporting.

Patients and workforce members may elect to proceed directly to the US Department of Health and Human Services (DHHS) with their complaints. Typically, however, an "internal" report of problems will be made first to the covered entity's privacy officer/office, and then proceed to DHHS only if that response is not satisfactory.

Larger organizations should consider having a toll-free, always-open "hotline" that facilitates the anonymous reporting of possible violations. Non-intimidation and non-retaliation may be the organization's policy, and it may even be the reality. But workforce members can still be afraid of the consequences of blowing the whistle on a suspect practice.

See also:

• 45 CFR 164.530(g)
• whistleblowers (HIPAA)

Last modified: 14-May-2005 [RC]