Skip to main content
U.S. flag

An official website of the United States government

Return to Search

FAQ 352 If I believe that my privacy rights have been violated, when can I submit a complaint?

This is guidance related to submitting a privacy related complaint

Final

Issued by: Office for Civil Rights (OCR)

If I believe that my privacy rights have been violated, when can I submit a complaint?

Answer:

By law, health care providers (including doctors and hospitals) who engage in certain electronic transactions, health plans, and health care clearinghouses, (collectively, “covered entities”) had until April 14, 2003, to comply with the HIPAA Privacy Rule. (Small health plans had until April 14, 2004, to comply).  OCR provides further information on its web site about how to file a complaint.

  • Activities occurring before April 14, 2003, are not subject to the Office for Civil Rights (OCR) enforcement actions.
  • After that date, a person who believes a covered entity is not complying with a requirement of the Privacy Rule may file with OCR a written complaint, either on paper or electronically.
  • This complaint must be filed within 180 days of when the complainant knew or should have known that the act had occurred.
  • The Secretary may waive this 180-day time limit if good cause is shown. See 45 CFR 160.306 and 164.534.

In addition, after the compliance dates above, individuals have a right to file a complaint directly with the covered entity. Individuals should refer to the covered entity’s notice of privacy practices for more information about how to file a complaint with the covered entity.

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.