Patients have the right to file a complaint with the Office for Civil Rights (OCR) if their health information privacy or security has been compromised. OCR can investigate and address any potential violations.
Understanding the complaint requirements
Anyone can file a health information privacy or security complaint by mail, fax, email, or the OCR Complaint Portal. Here are the key requirements for complaints:
Identification: Provide the name of the covered entity or business associate involved in the alleged violation. Additionally, describe the acts or omissions violating the requirements of the Privacy, Security, or Breach Notification Rules.
Timeline: Your complaint must be filed within 180 days of the act or omission. OCR may extend this period if a patient can demonstrate "good cause" for the delay.
Prohibition of retaliation: HIPAA prohibits any form of retaliation against individuals who file complaints.
Read more: Understanding and implementing HIPAA rules
Filing a complaint online
The OCR complaint portal provides a convenient and efficient way to file health information privacy complaints online:
Access the OCR complaint portal: Open the OCR Complaint Portal and select the type of complaint you would like to file.
Provide necessary information: Fill out the complaint form with as much information as possible. This includes details about yourself, the complainant, and the specifics of the complaint. You can also have any additional information that might help OCR when reviewing your complaint.
Electronic signature and consent: Electronically sign the complaint and complete the consent form. This step ensures that you authorize OCR to investigate your complaint. After completing the consent form, print out a copy of your complaint for your records.
Filing a security rule complaint
OCR also accepts security rule complaints. The process for filing a Security Rule complaint is similar to filing a health information privacy complaint. You can file a Security Rule complaint electronically through the OCR Complaint Portal or the Health Information Privacy Complaint Package.
Mail or fax the complaint to the appropriate OCR regional office based on where the alleged violation occurred.
Read more: What is the HIPAA Security Rule?
Before you file a complaint
Ask yourself the following questions before filing a health information privacy or security complaint with OCR:
Is the entity required to comply with the Privacy and Security Rules?
Not all entities are obligated to comply with these rules. OCR can only investigate complaints against covered entities that must adhere to privacy and security regulations.
Does your complaint describe a potential violation?
OCR can only investigate complaints that allege actions or omissions failing to comply with the Privacy or Security Rules. It's still worth filing your complaint if you are uncertain, but be aware that certain situations may not constitute violations.
Did the activity occur after the effective dates of the rules?
OCR cannot investigate complaints that pertain to incidents that occurred before the implementation dates. The Privacy Rule became mandatory on April 14, 2003, while the Security Rule compliance became obligatory on April 20, 2005.
Are you willing to share your name and contact information?
To initiate an investigation, OCR requires your name and contact information. If you wish to keep your identity confidential in the inquiry, specify this on the complaint form.
See also: HIPAA Compliant Email: The Definitive Guide
Farah Amod
