HOW TO FILE A HEALTH INFORMATION PRIVACY COMPLAINT WITH THE OFFICE FOR CIVIL RIGHTS
If you believe that a person, agency or organization covered under the HIPAA Privacy Rule (“a covered entity”) violated your (or someone else’s ) health information privacy rights or committed another violation of the Privacy Rule, you may file a complaint with the Office for Civil Rights (OCR). OCR has authority to receive and investigate complaints against covered entities related to the Privacy Rule. A covered entity is a health plan, health care clearinghouse, and any health care provider who conducts certain health care transactions electronically. For more information about the Privacy Rule, please look at our responses to Frequently Asked Questions (FAQs) and our Privacy Guidance. (See the web link near the bottom of this form.)
Complaints to the Office for Civil Rights must: (1) Be filed in writing, either on paper or electronically; (2) name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable requirements of the Privacy Rule; and (3) be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show “good cause.” Any alleged violation must have occurred on or after April 14, 2003 (on or after April 14, 2005 for small health plans), for OCR to have authority to investigate.
Anyone can file written complaints with OCR by mail, fax, or email. If you need help filing a complaint or have a question about the complaint form, please call this OCR toll free number: 1-800-368-1019. OCR has ten regional offices, and each regional office covers certain states. You should send your complaint to the appropriate OCR Regional Office, based on the region where the alleged violation took place. Use the OCR Regions list at the end of this Fact Sheet, or you can look at the regional office map to help you determine where to send your complaint. Complaints should be sent to the attention off the appropriate OCR Regional Manager.
You can submit your complaint in any written format. We recommend that you use the OCR Health Information Privacy Complaint Form which can be found on our web site or at an OCR Regional office. If you prefer, you may submit a written complaint in your own format. Be sure to include the following information in your written complaint:
Your name, full address, home and work telephone numbers, email address.
If you are filing a complaint on someone’s behalf, also provide the name of the person on whose behalf you are filing.
Name, full address and phone of the person, agency or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy Rule.
Briefly describe what happened. How, why, and when do believe your (or someone else’s) health information privacy rights were violated, or the Privacy Rule otherwise was violated?
Any other relevant information.
Please sign your name and date your letter.
The following information is optional:
Do you need special accommodations for us to communicate with you about this complaint?
If we cannot reach you directly, is there someone else we can contact to help us reach you?
Have you filed your complaint somewhere else?
via HIPAA News, Regulations, Compliance, Complaints, Penalties, Privacy and Security.