What OCR Considers During Intake & Review

What OCR Considers During Intake & Review of a Complaint

The Office for Civil Rights (OCR) is the agency within the U. S. Department of Health and Human Services that investigates complaints about failures to protect the privacy or security of health information. It does so under its authority to enforce the HIPAA Privacy, Security, and Breach Notification Rules (collectively known as the “HIPAA Rules”), in accordance with the HIPAA Enforcement Rule.

OCR carefully reviews all complaints that it receives. Under the law, OCR may take action only on complaints that meet the following conditions.

  • The alleged action must have occurred in the past 6 years.
  • The complaint must be filed against an entity that is required by law to comply with the HIPAA Rules. Not all organizations are covered by the HIPAA Rules.

    Entities subject to the HIPAA Rules are called “covered entities” or “business associates.”

    Briefly, a covered entity is one (or more) of the following:
    • a health plan, including but not limited to:
      • health insurance companies
      • company health plans
    • a health care provider that electronically transmits any health information in connection with certain financial and administrative transactions (such as electronically billing insurance carriers for services), including but not limited to:
      • doctors
      • clinics
      • hospitals
      • psychologists
      • chiropractors
      • nursing homes
      • pharmacies
      • dentists
    • a health care clearinghouse. 

    A “business associate” is, generally, a person (which could be a natural person or a corporation or other entity) that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity to perform certain functions, or provides certain services to or for a covered entity involving the disclosure of PHI. For information about when OCR can investigate complaints against a business associate, see the Fact Sheet entitled “Direct Liability of Business Associates.”

    Examples of organizations that are business associates include organizations or companies that perform the following functions and services involving PHI:

    • legal and accounting services
    • billing and processing claims
    • data analysis
    • managing benefits

    Examples of organizations that generally are not HIPAA covered entities and are not required to comply with the HIPAA Rules include

    • life insurers
    • employers
    • workers compensation carriers
    • many schools and school districts,
    • many state agencies like child protective service agencies
    • many law enforcement agencies
    • many municipal offices
  • A complaint must allege an activity that, if proven true, would violate the HIPAA Rules. For example, OCR generally could not investigate a complaint that alleged that a physician sent an individual’s health information to another health care provider for consultation relating to a patient, because the Privacy Rule permits covered health care providers to use and disclose such information for such treatment purposes.
  • Complaints must be filed within 180 days of when the person submitting the complaint knew or should have known about the alleged violation of the HIPAA Rules. OCR may waive this time limit if it determines that the person submitting the complaint shows good cause for not submitting the complaint within the 180-day time frame (e.g., such as circumstances that made submitting the complaint within 180 days impossible).

Back to Top

Enforcement Process

How OCR Enforces the HIPAA Rules



Content created by Office for Civil Rights (OCR)
Content last reviewed