What to Expect

You may file a health information privacy and security complaint with the Office for Civil Rights (OCR) if you feel a covered entity or business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules (“HIPAA Rules”).

You may also file a complaint with OCR for a potential violation of the confidentiality regulation protecting substance use disorder (SUD) patient records, 42 CFR part 2 (“Part 2”).

OCR Complaint Portal

How OCR Investigates a Health Information Privacy and Security Complaint

OCR carefully reviews all health information privacy and security complaints. Generally, OCR may take action on complaints only if you file your complaint within 180 days of the violation.

Your complaint also must be about a HIPAA or Part 2 violation by a person or organization who is required to follow those laws (also called a “regulated entity”).

• For HIPAA Complaints, your complaint must be about a violation of the HIPAA Rules by a covered entity or business associate.
• For Part 2 complaints, your complaint must be about a violation of the Part 2 confidentiality requirements for SUD patient records created or received by a federally assisted SUD treatment program or a redisclosure of those records in violation of Part 2.

What Happens After the Investigation

At the end of the investigation, OCR issues a letter describing the resolution of the investigation.

If OCR determines that a regulated entity may not have complied with the HIPAA Rules or Part 2, that entity must:

• Voluntarily comply with the HIPAA Rules or Part 2
• Take corrective action
• Agree to a settlement

If the regulated entity does not take satisfactory action to resolve the matter, OCR may decide to impose civil money penalties (CMPs) on the entity. If CMPs are imposed, the regulated entity may request a hearing in which an HHS administrative law judge decides if the penalties are supported by the evidence in the case.