How to File a Health Information Privacy or Security Complaint
Anyone can file a health information privacy or security complaint. Your complaint must:
- Be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal
- Name the covered entity or business associate involved, and describe the acts or omissions, you believed violated the requirements of the Privacy, Security, or Breach Notification Rules
- Be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show "good cause"
HIPAA Prohibits Retaliation
Under HIPAA an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.
File a Health Information Privacy Complaint Online
Open the OCR Complaint Portal and select the type of complaint you would like to file. Complete as much information as possible, including:
- Information about you, the complainant
- Details of the complaint
- Any additional information that might help OCR when reviewing your complaint
You will then need to electronically sign the complaint and complete the consent form. After completing the consent form you will be able to print out a copy of your complaint to keep for your records
File a Health Information Privacy Complaint in Writing
File a Complaint Using the Health Information Privacy Complaint Form Package
Open and fill out the Health Information Privacy Complaint Form Package in PDF format. You will need Adobe Reader software to fill out the complaint and consent forms. You may either:
- Print and mail or fax the completed complaint and consent forms to the appropriate OCR regional office
- Email the completed complaint and consent forms to OCRComplaint@hhs.gov (Please note that communication by unencrypted email presents a risk that personally identifiable information contained in such an email, may be intercepted by unauthorized third parties)
File A Complaint Without Using Our Health Information Privacy Complaint Package
If you prefer, you may submit a written complaint in your own format by either:
Be sure to include:
- Your name
- Full address
- Telephone numbers (include area code)
- E-mail address (if available)
- Name, full address and telephone number of the person, agency, or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy or Security Rule
- Brief description of what happened. How, why, and when do you believe your (or someone else’s) health information privacy rights were violated, or how the Privacy or Security Rule otherwise was violated
- Any other relevant information
- Your signature and date of complaint
If you are filing a complaint on someone’s behalf, also provide the name of the person on whose behalf you are filing.
You may also include:
- If you need special accommodations for us to communicate with you about this complaint
- Contact information for someone who can help us reach you if we cannot reach you directly
- If you have filed your complaint somewhere else and where you’ve filed
File a Security Rule Complaint
If you mail or fax the complaint, be sure to send it to the appropriate OCR regional office based on where the alleged violation took place. OCR has ten regional offices, and each regional office covers specific states. Send your complaint to the attention of the OCR Regional Manager. You do not need to sign the complaint and consent forms when you submit them by e-mail because submission by e-mail represents your signature.
Before You File a Complaint
Don’t waste time filing a complaint we can’t investigate. Review these questions before filing a health information privacy or security complaint with OCR:
Are you filing a complaint against an entity that is required by law to comply with the Privacy and Security Rules?
Not all entities are required to comply with the Privacy and Security Rules. OCR can only investigate the covered entities that must comply with these rules. Covered entities include most:
- Nursing Homes
- Health Insurance Companies
- Company Health Plans
- Medicare, Medicaid, and other government programs that pay for health care
Does your complaint describe an activity that might violate the Privacy or Security Rule?
If you are not sure, go ahead and file your complaint. But, OCR can only investigate complaints that allege an action or omission that fails to comply with the Privacy or Security Rules. For example, a doctor can send your medical test results to another doctor without your permission if the doctor needs the information to treat you; this is not a violation of the Privacy Rule, so we would not investigate a complaint that described this situation.
Did the activity occur after the Privacy and Security Rules took effect?
OCR cannot investigate Privacy Rule complaints that occurred before April 14, 2003 because compliance with the Privacy Rule was not required until that date. Similarly, OCR cannot investigate Security Rule complaints that occurred before April 20, 2005.
Are you willing to give OCR your name and contact information?
OCR does not investigate complaints filed without a name and contact information on the complaint. If you want OCR to keep your name and contact information confidential during the investigation, you may specify that on the consent form.