Chapter Four: Seeking Justice Outside the Courtroom
In addition to civil litigation, there are other avenues most states have for an aggrieved patient to bring their concerns about a certain medical professional. In California, the California Medical Board reviews and investigates complaints about, and disciplines, medical professionals, including but not limited to, licensed physicians, surgeons, and licensed midwives. Additionally, although the Board’s staff reviews and investigates complaints about podiatrists and physician assistants, they do not take any disciplinary action against them. Rather, any disciplinary action taken against a podiatrist or a PA is decided by the appropriate licensing board or bureau.
The types of complaints filed with the Medical Board may include but are not limited to those related to substandard care, prescribing issues, sexual misconduct, or the drug, alcohol, mental or physical impairment of a medical professional. Those complaints “alleging negligence that involve patient death or serious bodily injury are given highest priority.” Keep in mind, however, that this is a government entity, so nothing is done exceptionally fast.
In California, the California Department of Community Affairs (“DCA”) oversees and digitally facilitates the complaint process since the California Medical Board is one of its licensing agencies. A complaint form may be filled out and mailed directly to the California Medical Board. Or, a complaint may be filed online through DCA’s BreEze online services. BreEZe is DCA’s online licensing and enforcement system for all of its Boards, Bureaus, and Committees.
Most states have a website that allows a complainant to look up the license number of the medical professional with only the professional’s name. Your online complaint will require you to 1) identify the board or bureau of the individual or organization in question, 2) record the relevant license type, 3) provide a detailed description of what happened and why you are filing your complaint, 4) provide the address where the incident occurred, 5) provide additional information as requested, 6) identify the individual or organization in question, 7) provide your contact information, 8) attach files which serve as evidence supporting your claim(s), and 9) potentially sign an authorization for release of records. Files which may be useful in substantiating your claim include patient records, audio and video recordings, correspondence, billing statements, and proofs of payment.
To file a complaint by mail, you will be required to 1) provide information regarding the person your complaint is against (e.g. full name, address, phone number, license number), 2) provide a detailed account of the incident(s) in question, 3) submit relevant documents (e.g. patient records, photographs, video and audio recordings, correspondence, billing statements, proof of payments), and 5) sign and date both the complaint form and an Authorization for Release of Medical Information Form.
In California, a Consumer Services Analyst receives and reviews each complaint, gathering all necessary information to evaluate the complaint. If enough evidence exists, the complaint will be advanced to a medical consultant. If enough evidence is determined to exist by the medical consultant, the complaint will be sent to the DCA investigation office closest to the site of the alleged incident.
In the course of an investigation, if the medical professional is determined not to have conducted himself or herself below the standard of care, the complaint will be closed. Similarly, if the medical professional is determined to have acted below the standard of care but not with gross negligence, the complaint will be closed. But if the medical professional is determined to have committed gross negligence, the results of the investigation may be submitted to the Attorney General “for a formal charge that may lead to disciplinary action against the physician’s license.”
The entire process, from the date the Board is notified of a violation to the date formal charges are filed, is governed by a special statute of limitations. Exceptions to the statutes of limitation are applied in cases involving “sexual misconduct, care and treatment provided to minors, and proven intentional concealment of specific unprofessional conduct.”
In those cases where you cannot find an attorney to represent you or you feel monetary damages are not sufficient for the wrong that was done by a doctor or other licensed medical professional, the filing of a complaint with the Medical Board of your state may help ensure that corrective action is taken and that the medical professional is not permitted to harm additional patients.
How to File a Complaint With the Department of Public HealthMost states have a Department of Public Health (DPH), another resource for filing complaints of medical malpractice. The DPH regulates and investigates complaints for licensed and certified health care facilities as well as certain types of healthcare professionals. So, if you have a complaint against a nursing home, this is an avenue to take. A complaint may usually be filed with the DPH of your state by phone, fax or mail. If you plan on mailing a complaint, you can simply draft a letter or use a form accessible online. In California, you can also submit the complaint online via the California Health Facilities Information Database. In most cases, the agency will acknowledge receipt of a Complaint within ten (10) days or less.
In California, according to the CDPH website, the database is a source of information for approximately 10,000 health care facilities in California, and provides such information as facility ownership, licensing status, performance history of previous complaints, entity/facility-reported incidents, and state enforcement actions. Regulated facilities are those which provide medical services and must be licensed by the State of California, including, but not limited to, general acute care hospitals, hospices, home health agencies, skilled nursing facilities, and primary care clinics. In addition to filing administrative complaints, the CDPH website can be a valuable fact-finding resource for a litigant filing a malpractice lawsuit due to the wealth of information the website provides about hospitals and prior incidents at hospitals.
Every complaint received by the DPH is documented in an electronic tracking system and assigned to a health facilities evaluator supervisor who is a registered nurse. Incoming complaints are prioritized by the supervisor based on their content, the immediacy of the alleged violation, the inherent risks, and any requirements of state and federal law. The supervisor also assigns the complaint investigation to a “CDPH health facilities evaluator nurse (HFEN).” In the case of a complaint determined to indicate “immediate jeopardy,” in California, the CDPH is required by law to respond to the site “within 24 hours for long-term care facilities and providers and within 48 hours for hospitals and non-long-term care facilities.”
As may be clear by now, one of the primary focuses of DPH is elder care and elder abuse. Too often we see elderly people suffering from bedsores while in a nursing home due to the negligence of their nurses and staff. In California, that’s exactly what the CDPH investigates.
Investigations by the nurse evaluator may include a team of staff members such as doctors, pharmacists, dietitians, occupational therapists and medical record experts. The complainant, who can be anyone – the patient, resident, a family member, an estate administrator, or even an anonymous individual – is permitted to accompany the evaluator and team.
After the investigation, the DPH evaluator (along with a supervisor) must determine if the complaint is “substantiated” or “unsubstantiated" in light of the gathered facts. In California, if the complaint is substantiated and involved a violation of one or more regulatory requirements, the CDPH may perform enforcement action or issue penalties. The administrative actions taken by the CDPH depend on the severity and the scope of any violations found.
What Can I Do About a HIPAA Violation?Let’s start by establishing what HIPAA is, and who to call when something goes wrong. A HIPAA violation is when someone violates your privacy in relation to your health. This could be a nurse speaking loudly in the hallway about how you should apply cream to your rash, your doctor texting you test results, or your dentist’s office not properly disposing of your billing records.
Enacted by Congress, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) established a set of national standards for maintaining certain protected health information, or “PHI.” HIPAA protects PHI under a series of rules created and enforced by the United States Department of Health and Human Services.
HIPAA applies to covered entities which have access to your PHI, including health plans; health insurance companies; HMOs; certain government programs like Medicaid and Medicare; most healthcare providers such as doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists; healthcare clearinghouses; and businesses associated with these entities, such as billing companies, companies that store or destroy medical records periodically, accountants, and lawyers.
Medical information protected under HIPAA includes information contained within medical records, information conveyed orally between a doctor and a nurse about your treatment, progress notes, billing information, and information stored by health insurance companies, just to name a few. The Office of Civil Rights (“OCR”) within the Department of Health and Human Services investigates civil complaints of HIPAA being violated.
According to the HIPAA Journal, common violations of HIPAA include impermissible disclosures of PHI; unauthorized access of PHI; improper disposal of PHI; texting of PHI; failure to provide patients access to their PHI upon request; failure to conduct a risk analysis; failure to manage risks related to the confidentiality, integrity and availability of PHI; failure to implement safeguards as to PHI; failure to enter into a HIPAA-compliant agreement with business associates; failure to provide PHI training and security training; theft of patient records; sharing of PHI over social media; and failure to notify of a PHI breach. For these and other violations, the Office of Civil Rights assigns penalties on a four-tier system:
- Tier I Fines are levied against covered entities that are unaware of their violation of HIPPA and with reasonable due diligence would have known HIPAA rules were violated. Tier I fines range from $100 to $50,000 per violation, capped at $1.5 million per year;
- Tier II Fines are levied when the Office of Civil Rights has reasonable cause to believe that a covered entity knew, or should have known, about a HIPPA violation by exercising reasonable due diligence. Tier II fines range from $1,000 to $50,000 per violation, with a maximum of $1.5 million per year;
- Tier III Fines are assigned to those covered entities who demonstrate a willful neglect of HIPAA’s rules and protections but correct the violation within 30 days of its discovery. Tier III fines range from $10,000 to $50,000 per violation, with a maximum of $1.5 million per year;
- Tier IV Fines, the highest of the civil penalties, are handed out when covered entities willfully neglect HIPAA’s rules and make no effort within 30 days to correct the violation. Tier IV Fines are $50,000 per violation, with a maximum of $1.5 million per year.
Criminal penalties may be also assessed under HIPAA regarding violations committed by either individuals or corporate representatives of covered entities. The Department of Justice (“DOJ”) prosecutes these violations.
A covered entity which knowingly uses, causes to be used, obtains, or discloses personal health information faces 1) a potential fine of up to $50,000, 2) imprisonment for up to one year, or 3) both. If the offense occurs under false pretenses, the penalty could be 1) a fine of up to $100,000, 2) imprisonment for up to five years, or 3) both. And if the offense committed involved an intent to sell, transfer, or otherwise use personal health information for commercial gain, personal gain, or malicious harm, the penalty could be 1) a fine of up to $250,000, 2) imprisonment for up to ten years, or 3) both.
If you believe a HIPAA breach has occurred, whether it is of your own protected health information, or that of a loved one, you may file a complaint in writing by mail, fax or e-mail to the Office of Civil Rights. You can also file a complaint online through the agency’s online portal. In any case, the OCR will require certain information such as the name of the covered entity and details about the alleged breach. You are protected under HIPAA against retaliation for filing a complaint, and any act of retaliation, discrimination or similar improper action taken against you for exercising your rights under HIPAA is strictly prohibited. Complaints should be filed within 180 days of the occurrence of the violation, which may be extended for good cause.
Complaint Information, Medical Board of California, (last visited Sept. 17, 2019).
How Complaints Are Handled, Medical Board of California (March 2019).
Submit Complaint By Mail, Medical Board of California, (last visited Sept. 17, 2019).
Submit Complaint Online, California Medical Board, (last visited Sept. 17, 2019).
DCA BreEz Online Training Tutorial: File a Complaint, California Department of Consumer Affairs, (last visited Sept. 17, 2019).
Consumer Complaint Form, Medical Board of California (Jan. 2019).
How Complaints Are Handled, Medical Board of California (March 2019).
Complaint Investigation Process, California Department of Public Health, (last visited Sept. 17, 2019).
Licensing and Certification Program, California Department of Public Health (March 26, 2018).
Cal Health Find Database, California Department of Public Health (June 28, 2018).
Complaint Investigation Process, California Department of Public Health, (last visited Sept. 17, 2019).
Cal Health Find Database, California Department of Public Health (June 28, 2018).
Health Care Facility Licensing and Certification, California Department of Public Health (Sept. 11, 2019).
Cal Health Find Database, California Department of Public Health (Oct. 2, 2018).
Health Insurance Portability and Accountability Act of 1996 (HIPAA), Centers for Disease Control and Prevention, (last visited Sept. 18, 2019).
Summary of the HIPAA Privacy Rule, U.S. Department of Health and Human Services (July 26, 2013).
What is a HIPAA Violation?, HIPAA Journal, (last visited Sept. 18, 2019).
HIPPA Violation Fines, HIPAA Journal, (last visited Sept. 18, 2019).
Enforcement Process, U.S. Department of Health and Human Services (June 7, 2017).
Wrongful Disclosure of Individually Identifiable Health Information, Social Security, (last visited Sept. 18, 2019).
How to File a Health Information Privacy or Security Complaint, U.S. Department of Health and Human Services, (last visited Sept. 18, 2019).
<< Introduction ---------- Chapter Five