How to File a HIPAA Complaint with OCR
So what do you do when you believe that someone and/or company that is supposedly HIPAA compliant is in fact doing something that isn’t? The answer is you file a complaint with the Office of Civil Rights (OCR).
Don’t waste time filing a complaint they can’t investigate. Review these questions before filing a health information privacy or security complaint with OCR.
Are You Willing to Give OCR Your Name and Contact Information?
OCR does not investigate complaints filed without a name and contact information on the complaint. While we know people worry about their name getting out there and might get some unwanted attention from the media, if you want OCR to keep your name and contact information confidential during the investigation, you may specify that on the consent form.
Does Your Complaint Describe an Activity that Might Violate the Privacy or Security Rule?
If you are not sure, go ahead and file your complaint--just remember OCR can only investigate complaints that allege an action or omission that fails to comply with the Privacy or Security Rules. For example, a doctor can send your medical test results to another doctor without your permission if the doctor needs the information to treat you; this is not a violation of the Privacy Rule, so they would not investigate a complaint that described this situation. Another example would be you going to your regular doctor to show them you have an eye problem like a stye infection that won’t go away. Your regular doctor would send you to an eye doctor, while sending them your medical information in case they prescribe you something or they need to surgically remove the stye and need to know if you are allergic to what they prescribe or use on you.
Complaint Requirements
- Your complaint should be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal
- Name of the covered entity or business associate involved, and describe the acts or omissions, you believed violated the requirements of the Privacy, Security, or Breach Notification Rules
- Your complaint must be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show "good cause"
HIPAA Prohibits Retaliation
Under HIPAA, an entity cannot retaliate against you for filing a complaint. Please notify OCR immediately in the event of any retaliatory action that has occurred.
Filing a Complaint Online
Go to the OCR Complaint Portal and select the type of complaint you would like to file. Complete as much information as possible, including:
- Information about you (the complainant)
- Details of the complaint (The more details the better)
- Any additional information that might help OCR when reviewing your complaint
You will then need to electronically sign the complaint and complete the consent form. After completing the consent form you will be able to print out a copy to keep for your own records.
Filing a Complaint in Writing
File a Complaint Using the Health Information Privacy Complaint Form Package
Open and fill out the Health Information Privacy Complaint Form Package in PDF format. You will need Adobe Reader software to fill out the complaint and consent forms. You may either: Print and mail the completed complaint and consent forms to:
Centralized Case Management Operations
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Room 509F HHH Bldg.
Washington, D.C. 20201
Or Email the completed complaint and consent forms to OCRComplaint@hhs.gov (Please be aware that communication by unencrypted email presents a risk that personally identifiable information contained in such an email, may be intercepted by unauthorized third parties)
File A Complaint Without Using Their Health Information Privacy Complaint Package
If you prefer, you may submit a written complaint in your own format, Just print and mail the completed complaint and consent forms to:
Centralized Case Management Operations
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Room 509F HHH Bldg.
Washington, D.C. 20201
Email to OCRComplaint@hhs.gov
Be sure to include:
- Your name
- Full address
- Telephone numbers (include area code)
- E-mail address (if available)
- Name, full address and telephone number of the person, agency, or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy or Security Rule
- Brief description of what happened. How, why, and when do you believe your (or someone else’s) health information privacy rights were violated, or how the Privacy or Security Rule otherwise was violated
- Any other relevant information
- Your signature and date of complaint
- If you are filing a complaint on someone’s behalf, also provide the name of the person on whose behalf you are filing.
Remember to include these things if you need them:
- If you need special accommodations for them to communicate with you about this complaint
- Contact information for someone who can help them contact you if they cannot reach you directly
- If you have filed your complaint somewhere else and where you’ve filed
File a Security Rule Complaint
You may file a Security Rule complaint electronically via the OCR Complaint Portal, or using their Health Information Privacy Complaint Package - PDF.
If you mail or fax the complaint, be sure to send it to the appropriate OCR regional office based on where the alleged violation took place. OCR has ten regional offices, and each regional office covers specific states. Send your complaint to the attention of the OCR Regional Manager. You do not need to sign the complaint and consent forms when you submit them by e-mail because submission by e-mail represents your signature.
Are You Filing Against an Entity that is Required by Law to Comply with the Privacy and Security Rules?
Not all entities are required to comply with the Privacy and Security Rules. OCR can only investigate the covered entities that must comply with these rules. Covered entities include most:
- Doctors
- Clinics
- Hospitals
- Dentists
- Psychologists
- Nursing Homes
- Chiropractors
- Pharmacies
- Health Insurance Companies
- Company Health Plans
- Medicare, Medicaid, and other government programs that pay for health care
Did the Activity Occur After the Privacy and Security Rules Took Effect?
OCR cannot investigate Privacy Rule complaints that occurred before April 14, 2003 because compliance with the Privacy Rule was not required until that date. Similarly, OCR cannot investigate Security Rule complaints that occurred before April 20, 2005.
With this information, you can file a HIPAA complaint without worrying about whether or not you did it right.