How to File a HIPAA Privacy or Security Complaint

Modified on Thu, 17 Jul at 4:32 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Introduction


Anyone, including an employee of a covered entity or business associate, can file a health information privacy or security complaint with the Department of Health and Human Services’ Office for Civil Rights (OCR). This article discusses filing requirements.

How Must I File My Complaint?


A complaint must be filed in writing by mail, fax, e-mail, or via the Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) Complaint Portal


What Information Must I Include in My Complaint?
 

The person making the complaint (“Complainant”) must, in the complaint, name the covered entity or business associate involved, and describe the acts or omissions that the person believes violated the requirements of the HPAA Privacy, Security, or Breach Notification Rules.
 

Is There a Filing Deadline?


Complaints must be filed within 180 days of when the Complainant knew that the act or omission complained of occurred. OCR may extend the 180-day period if the Complainant can show “good cause” for why the 180-day period should be extended.

Can I Be Retaliated Against for Filing a Complaint? 
 

Under HIPAA, a covered entity or business associate cannot retaliate against you for filing a complaint against them. If a retaliatory action occurs, a Complainant may notify OCR immediately.
 

When Will OCR Not Investigate a Complaint?


OCR will not investigate a complaint against an entity that is not a HIPAA covered entity or business associate. OCR does not have the authority to enforce HIPAA against entities that are not required to comply with HIPAA. OCR will not investigate a complaint describing activity that does not violate the Privacy or Security Rules. 

If a complainant is not sure whether their complaint describes an activity that violates the Privacy or Security Rule, the complainant may go ahead and file the complaint. However, OCR can only investigate complaints that allege an action or omission that fails to comply with the Privacy or Security Rules.

For example, a doctor can send your medical test results to another doctor without your permission if the doctor needs the information to treat you; this is not a violation of the Privacy Rule. OCR would therefore not investigate a complaint that described this situation. 


Who Can OCR Investigate?

OCR can investigate business associates. OCR can investigate covered entities, which can include:  

  • Doctors
  • Clinics
  • Hospitals
  • Psychologists
  • Chiropractors
  • Nursing Homes
  • Pharmacies
  • Dentists
  • Health Insurance Companies
  • Company Health Plans
  • Medicare, Medicaid, and other government programs that pay for healthcare
     




Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article