DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Anyone, including an employee of a covered entity or business associate, can file a health information privacy or security complaint with the Department of Health and Human Services’ Office for Civil Rights (OCR).
How Must I File My Complaint?
A complaint must be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal
What Information Must I Include in My Complaint?
The person making the complaint (“Complainant”) must, in the complaint, name the covered entity or business associate involved, and describe the acts or omissions that the person believes violated the requirements of the Privacy, Security, or Breach Notification Rules.
Is There a Filing Deadline?
Complaints must be filed within 180 days of when the Complainant knew that the act or omission complained of occurred. OCR may extend the 180-day period if the Complainant can show “good cause” for why the 180-day period should be extended.
Can I Be Retaliated Against for Filing a Complaint?
Under HIPAA, a covered entity or business associate cannot retaliate against you for filing a complaint against them. If a retaliatory action occurs, a Complainant may notify OCR immediately.
When Will OCR Not Investigate a Complaint?
OCR will not investigate a complaint against an entity that is not a HIPAA covered entity or business associate. OCR does not have the authority to enforce HIPAA against entities that are not required to comply with HIPAA.
OCR can investigate covered entities, which include most:
Doctors
Clinics
Hospitals
Psychologists
Chiropractors
Nursing Homes
Pharmacies
Dentists
Health Insurance Companies
Company Health Plans
Medicare, Medicaid, and other government programs that pay for healthcare
OCR will not investigate a complaint describing activity that does not violate the Privacy or Security Rules. If a complainant is not sure whether their complaint describes an activity that violates the Privacy or Security Rule, the complainant may go ahead and file the complaint. However, OCR can only investigate complaints that allege an action or omission that fails to comply with the Privacy or Security Rules.
For example, a doctor can send your medical test results to another doctor without your permission if the doctor needs the information to treat you; this is not a violation of the Privacy Rule. OCR would therefore not investigate a complaint that described this situation.
Can a Complainant Withhold Their Name and Contact Information from OCR?
OCR does not investigate complaints filed without a name and contact information on the complaint. If a complainant wants OCR to keep their name and contact information confidential during the investigation, the complainant may specify this on the consent form.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article