Skip Navigation

How To File a Complaint

If you believe that a covered entity or business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security or Breach Notification Rules, you may file a complaint with OCR. OCR can investigate complaints against covered entities and their business associates.

COVERED ENTITIES and BUSINESS ASSOCIATES - A covered entity is a health plan, health care clearinghouse, and any health care provider that conducts certain health care transactions electronically.  A business associate is a person or entity that performs functions on behalf of, or provides services to, a covered entity that involve access to protected health information. For more information, please review our  Understanding Health Information Privacy section or look at our responses to  Frequently Asked Questions (FAQs) on our web site.

 COMPLAINT REQUIREMENTS - Your complaint must:

  1. Be filed in writing, either electronically via the OCR Complaint Portal, or on paper by mail, fax, or e-mail;
  2. Name the covered entity or business associate involved and describe the acts or omissions you believe violated the requirements of the Privacy, Security, or Breach Notification Rules; and
  3. Be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show "good cause."  

ANYONE CAN FILE! - Anyone can file a complaint alleging a violation of the Privacy, Security or Breach Notification Rules. We recommend that you use the OCR Complaint Portal or the OCR Health Information Privacy Complaint Form Package. You can also request a copy of this form from an  OCR regional office. If you need help filing a complaint or have a question about the complaint or consent forms, please e-mail OCR at OCRComplaint@hhs.gov.

HIPAA PROHIBITS RETALIATION - Under HIPAA an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.

HOW TO SUBMIT YOUR COMPLAINT - To submit a complaint, please use one of the following methods.

 

File your complaint electronically via the OCR Complaint Portal

  • Open the OCR Complaint Portal and select the type of complaint you would like to file.  Complete as much information as possible, including:
    1. Information about you, the complainant;
    2. Details of the complaint; and
    3. Any additional information that might help OCR when reviewing your complaint.
  • You will then need to electronically sign the complaint and complete the consent form.
  • After completing the consent form you will be able to print out a copy of your complaint to keep for your records.
  • You can submit your complaint by clicking the “Submit This Complaint” button at the bottom of the page.

Hide Details

File A Complaint Using Our Health Information Privacy Complaint Package

  • Open and fill out the Health Information Privacy Complaint Form Package in PDF format. You will need Adobe Reader software to fill out the complaint and consent forms. You may either:

    1. print and mail or fax the completed complaint and consent forms to the appropriate  OCR regional office; or
    2. e-mail the completed complaint and consent forms to OCRComplaint@hhs.gov.(Please note that communication by unencrypted e-mail presents a risk that personally identifiable information contained in such an e-mail, may be intercepted by unauthorized third parties.)

Hide Details

File A Complaint Without Using Our Health Information Privacy Complaint Package

  • If you choose not to use the OCR Health Information Privacy Complaint Form Package, please provide the information specified below by either:

    1. mail or fax to the appropriate  OCR regional office; or
    2. e-mail to OCRComplaint@hhs.gov.

    If you prefer, you may submit a written complaint in your own format. Be sure to include the following information:

    1. Your name
    2. Full address
    3. Telephone numbers
    4. E-mail address (if available)
    5. Name, full address and telephone number of the person, agency or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy or Security Rule
    6. Brief description of what happened. How, why, and when do you believe your (or someone else’s) health information privacy rights were violated, or how the Privacy or Security Rule otherwise was violated
    7. Any other relevant information
    8. Your signature and date of complaint

    If you are filing a complaint on someone’s behalf, also provide the name of the person on whose behalf you are filing.

    The following information is optional:

    1. Do you need special accommodations for us to communicate with you about this complaint?
    2. Who else can we call if we cannot reach you?
    3. Have you filed your complaint somewhere else? If so, where?

Hide Details

   

File A Security Rule Complaint 

Hide Details

If you mail or fax the complaint, be sure to send it to the appropriate OCR regional office based on where the alleged violation took place. OCR has ten regional offices, and each regional office covers specific states. Send your complaint to the attention of the OCR Regional Manager. You do not need to sign the complaint and consent forms when you submit them by e-mail because submission by e-mail represents your signature.