If you believe that a covered entity or business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security or Breach Notification Rules, you may file a complaint with OCR. OCR can investigate complaints against covered entities and their business associates.
COVERED ENTITIES and BUSINESS ASSOCIATES – A covered entity is a health plan, health care clearinghouse, and any health care provider that conducts certain health care transactions electronically. A business associate is a person or entity that performs functions on behalf of, or provides services to, a covered entity that involve access to protected health information. For more information, please review our Understanding Health Information Privacy section or look at our responses to Frequently Asked Questions (FAQs) on our web site.
COMPLAINT REQUIREMENTS – Your complaint must:
- Be filed in writing, either electronically via the OCR Complaint Portal, or on paper by mail, fax, or e-mail;
- Name the covered entity or business associate involved and describe the acts or omissions you believe violated the requirements of the Privacy, Security, or Breach Notification Rules; and
- Be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show “good cause.”
ANYONE CAN FILE! – Anyone can file a complaint alleging a violation of the Privacy, Security or Breach Notification Rules. We recommend that you use the OCR Complaint Portal or the OCR Health Information Privacy Complaint Form Package. You can also request a copy of this form from an OCR regional office. If you need help filing a complaint or have a question about the complaint or consent forms, please e-mail OCR at OCRComplaint@hhs.gov.
HIPAA PROHIBITS RETALIATION – Under HIPAA an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.
HOW TO SUBMIT YOUR COMPLAINT – To submit a complaint, please use one of the following methods.
File your complaint electronically via the OCR Complaint Portal
File A Complaint Using Our Health Information Privacy Complaint Package
File A Complaint Without Using Our Health Information Privacy Complaint Package
File A Security Rule Complaint
If you mail or fax the complaint, be sure to send it to the appropriate OCR regional office based on where the alleged violation took place. OCR has ten regional offices, and each regional office covers specific states. Send your complaint to the attention of the OCR Regional Manager. You do not need to sign the complaint and consent forms when you submit them by e-mail because submission by e-mail represents your signature.
Source: U.S. Department of Health & Human Services, “How To File a Complaint” http://www.hhs.gov website. Accessed November 30, 2015. http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html
© Copyright 2016. All rights reserved. This content is strictly for informational purposes and although experts have prepared it, the reader should not substitute this information for professional insurance advice. If you have any questions, please consult your insurance professional before acting on any information presented. Read more.