What OCR Considers During Intake & Review of a Complaint

The Office for Civil Rights (OCR) is the agency within the U. S. Department of Health and Human Services that investigates complaints about failures to protect the privacy of health information. It does so under its authority to enforce the Privacy and Security Rules.

OCR carefully reviews all complaints that it receives. Under the law, OCR only may take action on complaints that meet the following conditions.

• The alleged action must have taken place after the dates the Rules took effect. Compliance with the Privacy Rule was not required until April 14, 2003. Compliance with the Security Rule was not required until April 20, 2005.  Therefore, OCR can not investigate complaints about actions that took place before these dates.
• The complaint must be filed against an entity that is required by law to comply with the Privacy and Security Rules. Not all organizations are covered by the Privacy and Security Rules. Entities subject to the Privacy and Security Rules are considered “covered entities.” Briefly, a covered entity is:
  • a health plan:
    including but not limited to
    • health insurance companies,
    • company health plans; or
  • a health care provider that electronically transmits any health information in connection with certain financial and administrative transactions (such as electronically billing insurance carriers for services): including but not limited to
    • doctors,
    • clinics,
    • hospitals,
    • psychologists,
    • chiropractors,
    • nursing homes,
    • pharmacies, and
    • dentists; or
  • a health care clearinghouse. 
  • Examples of organizations that are not required to comply with the Privacy and Security Rules include
    • life insurers,
    • employers,
    • workers compensation carriers,
    • many schools and school districts,
    • many state agencies like child protective service agencies,
    • many law enforcement agencies,
    • many municipal offices
  • A complaint must allege an activity that, if proven true, would violate the Privacy or Security Rule. For example, OCR generally could not investigate a complaint that alleged that a physician sent a person’s demographic information to an insurance company to obtain payment, because the Privacy Rule generally permits doctors to use and disclose such information to bill for their services.
  • Complaints must be filed within 180 days of when the person submitting the complaint knew or should have known about the alleged violation of the Privacy or Security Rule. OCR may waive this time limit if it determines that the person submitting the complaint shows good cause for not submitting the complaint within the 180 day time frame (e.g., such as circumstances that made submitting the complaint within 180 days impossible).