How To File a Privacy Rule Complaint
If you believe that a covered entity violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy Rule, you may file a complaint with OCR. OCR can investigate complaints against covered entities related to the Privacy Rule.
COVERED ENTITIES - A covered entity is a health plan, health care clearinghouse, and any health care provider that conducts certain health care transactions electronically. For more information about the Privacy Rule, please review our Understanding HIPAA Privacy section or look at our responses to Frequently Asked Questions (FAQs) on our web site.
COMPLAINT REQUIREMENTS - Your complaint must:
- Be filed in writing, either on paper or electronically, by mail, fax, or email;
- Name the covered entity involved and describe the acts or omissions you believe violated the requirements of the Privacy Rule; and
- Be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show "good cause."
ANYONE CAN FILE! - Anyone can file written complaints with OCR. We recommend that you use the OCR Health Information Privacy Complaint Form Package. You can request a copy of this form from an OCR regional office. If you need help filing a complaint or have a question about the complaint or consent forms, please email OCR at OCRMail@hhs.gov.
THE HIPAA PRIVACY RULE PROHIBITS RETALIATION - Under the Privacy Rule an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.
HOW TO SUBMIT YOUR COMPLAINT TO OCR - To submit a complaint to OCR, please use one of the following methods.
If you mail or fax the complaint, be sure to send it to the appropriate OCR regional office based on where the alleged violation took place. OCR has ten regional offices, and each regional office covers specific states. Send your complaint to the attention of the OCR Regional Manager. You do not need to sign the complaint and consent forms when you submit them by email because submission by email represents your signature.
File A Complaint Using Our Health Information Privacy Complaint Package
File A Complaint Without Using Our Health Information Privacy Complaint Package
If you choose not to use the OCR Health Information Privacy Complaint Form Package, please provide the information specified below by either:
- mail or fax to the appropriate OCR regional office; or
- email to OCRComplaint@hhs.gov.
If you prefer, you may submit a written complaint in your own format. Be sure to include the following information:
- Your name
- Full address
- Telephone numbers
- E-mail address (if available)
- Name, full address and telephone number of the person, agency or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy Rule
- Brief description of what happened. How, why, and when do you believe your (or someone else’s) health information privacy rights were violated, or how the Privacy Rule otherwise was violated
- Any other relevant information
- Your signature and date of complaint
If you are filing a complaint on someone’s behalf, also provide the name of the person on whose behalf you are filing.
The following information is optional:
- Do you need special accommodations for us to communicate with you about this complaint?
- Who else can we call if we cannot reach you?
- Have you filed your complaint somewhere else? If so, where?