HIPAA grants patients the right to file a complaint if they believe their protected health information (PHI) has been mishandled or disclosed without authorization. This right empowers individuals to address potential violations and ensure their privacy remains intact.
Go deeper: What are patient rights under HIPAA?
Identifying potential violations
Patients should recognize instances that might constitute a HIPAA violation. These can include unauthorized disclosure of medical records, improper access to health information, or examples where PHI is misused. Understanding what qualifies as a breach is the first step in addressing the issue.
Anyone can file a health information privacy or security complaint. Your complaint must:
- Be filed in writing by mail, fax, e-mail, or via the Office for Civil Rights (OCR) Complaint Portal.
- Identify the relevant covered entity or business associate and explain the actions or inactions that, in your opinion, breached the Privacy, Security, or Breach Notification Rules.
- Be submitted within 180 days after learning about the alleged act or omission. The 180-day timeframe may be extended by OCR if "good cause" is demonstrated.
Steps to filing a HIPAA complaint
Step 1: Documenting the incident
Detailed documentation of the incident is paramount. Note relevant specifics, including dates, the names of involved parties, and any evidence supporting the claim.
Step 2: Contact the covered entity
Contact the healthcare provider, hospital, or entity responsible for the potential breach. Express concerns and seek resolution through direct communication.
Step 3: Filing a complaint
- Online filing
- Visit the OCR's website: Access the OCR website.
- Fill out the online complaint form: Provide necessary details and attach supporting documentation directly through the online form.
- Written complaint submission
- Obtain and print the complaint form: Download the complaint form from the OCR's website.
- Complete the form: Fill it out comprehensively, ensuring all pertinent information is included.
- Submission via mail or fax: Mail or fax the completed form and any supporting documents to the provided OCR address or fax number.
Can the covered entity retaliate against the complaint?
HIPAA prohibits a covered entity from retaliating for filing a complaint. Should retaliation occur, the patient should alert OCR right away.