Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  • About HHS
  • Programs & Services
  • Grants & Contracts
  • Laws & Regulations
  • Radical Transparency
  • Big Wins
  • HIPAA for Individuals
  • Filing a Complaint
  • HIPAA for Professionals
  • Newsroom
Breadcrumb
  1. HHS
  2. HIPAA Home
  3. For Professionals
  4. HIPAA Compliance and Enforcement
  5. Case Examples
  6. What OCR Considers During Intake & Review
  • HIPAA for Professionals
  • Regulatory Initiatives
  • Privacy
    • Summary of the Privacy Rule
    • Guidance
    • Combined Text of All Rules
    • HIPAA Related Links
  • Security
    • Security Rule NPRM
    • Summary of the Security Rule
    • Security Guidance
    • Cyber Security Guidance
  • Breach Notification
    • Breach Reporting
    • Guidance
    • Reports to Congress
    • Regulation History
  • Compliance & Enforcement
    • Enforcement Rule
    • Enforcement Process
    • Enforcement Data
    • Resolution Agreements
    • Case Examples
    • Audit
    • Reports to Congress
    • State Attorneys General
  • Special Topics
    • HIPAA and Part 2
    • Change Healthcare Cybersecurity Incident FAQs
    • HIPAA and COVID-19
    • HIPAA and Reproductive Health
      • HIPAA and Final Rule Notice
    • HIPAA and Telehealth
    • HIPAA and FERPA
    • Research
    • Public Health
    • Emergency Response
    • Health Information Technology
    • Health Apps
  • Patient Safety
  • Covered Entities & Business Associates
    • Business Associate Contracts
    • Business Associates
  • Training & Resources
  • FAQs for Professionals
  • Other Administrative Simplification Rules

What OCR Considers During Intake & Review

What OCR Considers During Intake & Review of a Complaint

The Office for Civil Rights (OCR) is the agency within the U. S. Department of Health and Human Services that investigates complaints about failures to protect the privacy or security of health information. It does so under its authority to enforce the HIPAA Privacy, Security, and Breach Notification Rules (collectively known as the “HIPAA Rules”), in accordance with the HIPAA Enforcement Rule.

OCR carefully reviews all complaints that it receives. Under the law, OCR may take action only on complaints that meet the following conditions.

  • The alleged action must have occurred in the past 6 years.
  • The complaint must be filed against an entity that is required by law to comply with the HIPAA Rules. Not all organizations are covered by the HIPAA Rules.

    Entities subject to the HIPAA Rules are called “covered entities” or “business associates.”

    Briefly, a covered entity is one (or more) of the following:
    • a health plan, including but not limited to:
      • health insurance companies
      • company health plans
    • a health care provider that electronically transmits any health information in connection with certain financial and administrative transactions (such as electronically billing insurance carriers for services), including but not limited to:
      • doctors
      • clinics
      • hospitals
      • psychologists
      • chiropractors
      • nursing homes
      • pharmacies
      • dentists
    • a health care clearinghouse. 

    A “business associate” is, generally, a person (which could be a natural person or a corporation or other entity) that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity to perform certain functions, or provides certain services to or for a covered entity involving the disclosure of PHI. For information about when OCR can investigate complaints against a business associate, see the Fact Sheet entitled “Direct Liability of Business Associates.”

    Examples of organizations that are business associates include organizations or companies that perform the following functions and services involving PHI:

    • legal and accounting services
    • billing and processing claims
    • data analysis
    • managing benefits

    Examples of organizations that generally are not HIPAA covered entities and are not required to comply with the HIPAA Rules include

    • life insurers
    • employers
    • workers compensation carriers
    • many schools and school districts,
    • many state agencies like child protective service agencies
    • many law enforcement agencies
    • many municipal offices
  • A complaint must allege an activity that, if proven true, would violate the HIPAA Rules. For example, OCR generally could not investigate a complaint that alleged that a physician sent an individual’s health information to another health care provider for consultation relating to a patient, because the Privacy Rule permits covered health care providers to use and disclose such information for such treatment purposes.
  • Complaints must be filed within 180 days of when the person submitting the complaint knew or should have known about the alleged violation of the HIPAA Rules. OCR may waive this time limit if it determines that the person submitting the complaint shows good cause for not submitting the complaint within the 180-day time frame (e.g., such as circumstances that made submitting the complaint within 180 days impossible).

Back to Top

Enforcement Process

How OCR Enforces the HIPAA Rules

 

 

Content created by Office for Civil Rights (OCR)
Content last reviewed November 20, 2023
Back to top

Subscribe to Email Updates

Receive the latest updates from the Secretary and Press Releases.

Subscribe
  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • Press Room
  • HHS Archive
  • Accessibility Statement
  • Privacy Policy
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov
  • Vulnerability Disclosure Policy
HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​

Follow HHS

Follow Secretary Kennedy