Patients have the right to file a complaint with the Office for Civil Rights (OCR) if their health information privacy or security has been compromised. OCR can investigate and address any potential violations.
What does the HHS say about complaints?
According to the U.S. Department of Health and Human Services (HHS):
- You can file a civil rights complaint with the Office for Civil Rights (OCR) if you believe that a healthcare provider or government agency unlawfully discriminated against you or someone else.
- If you feel that a healthcare provider or government agency unlawfully coerced or discriminated against you or someone else, you may submit a conscience or religious freedom complaint with OCR.
- You have the option to file a complaint with OCR if you believe your rights under the HIPAA regulations have been violated.
- You may read about the Patient Safety Confidentiality Act and find information on how to file a complaint online or in writing.
- You can find information about breach notifications, view a list of breaches affecting 500 or more individuals, and submit notifications regarding breaches of unsecured protected health information.
Understanding the complaint requirements
Anyone can file a health information privacy or security complaint by mail, fax, email, or the OCR Complaint Portal. Here are the key requirements for complaints:
Identification: Provide the name of the covered entity or business associate involved in the alleged violation. Additionally, describe the acts or omissions violating the requirements of the Privacy, Security, or Breach Notification Rules.
Timeline: Your complaint must be filed within 180 days of the act or omission. OCR may extend this period if a patient can demonstrate "good cause" for the delay.
Prohibition of retaliation: HIPAA prohibits any form of retaliation against individuals who file complaints.
Read more: Understanding and implementing HIPAA rules
Filing a complaint online
The OCR complaint portal provides a convenient and efficient way to file health information privacy complaints online:
Access the OCR complaint portal: Open the OCR Complaint Portal and select the type of complaint you would like to file.
Provide necessary information: Fill out the complaint form with as much information as possible. This includes details about yourself, the complainant, and the specifics of the complaint. You can also have any additional information that might help OCR when reviewing your complaint.
Electronic signature and consent: Electronically sign the complaint and complete the consent form. This step ensures that you authorize OCR to investigate your complaint. After completing the consent form, print out a copy of your complaint for your records.
Filing a security rule complaint
OCR also accepts security rule complaints. The process for filing a Security Rule complaint is similar to filing a health information privacy complaint. You can file a Security Rule complaint electronically through the OCR Complaint Portal or the Health Information Privacy Complaint Package.
Mail or fax the complaint to the appropriate OCR regional office based on where the alleged violation occurred.
Read more: What is the HIPAA Security Rule?
Before you file a complaint
Ask yourself the following questions before filing a health information privacy or security complaint with OCR:
Is the entity required to comply with the Privacy and Security Rules?
Not all entities are obligated to comply with these rules. OCR can only investigate complaints against covered entities that must adhere to privacy and security regulations.
Does your complaint describe a potential violation?
OCR can only investigate complaints that allege actions or omissions failing to comply with the Privacy or Security Rules. It's still worth filing your complaint if you are uncertain, but be aware that certain situations may not constitute violations.
Did the activity occur after the effective dates of the rules?
OCR cannot investigate complaints that pertain to incidents that occurred before the implementation dates. The Privacy Rule became mandatory on April 14, 2003, while the Security Rule compliance became obligatory on April 20, 2005.
Are you willing to share your name and contact information?
To initiate an investigation, OCR requires your name and contact information. If you wish to keep your identity confidential in the inquiry, specify this on the complaint form.
FAQs
What is an OCR complaint form?
An OCR complaint form is a document used to report potential violations of the Health Insurance Portability and Accountability Act (HIPAA) to the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services.
Who can file an OCR complaint?
Any individual or entity that believes their HIPAA rights have been violated can file a complaint with OCR, including patients, healthcare providers, and business associates.
What types of complaints can be filed with OCR?
Complaints can involve violations related to privacy, security, or breaches of protected health information (PHI) by covered entities, such as healthcare providers and health plans.
How do I submit an OCR complaint form?
Complaints can be submitted online through the OCR website, by mail, or via email. The form requires specific details about the alleged violation and the parties involved.
What happens after I file an OCR complaint?
After submission, OCR will review the complaint to determine if it falls within their jurisdiction. They may investigate the claims and take appropriate enforcement actions if violations are found.
See also: HIPAA Compliant Email: The Definitive Guide
Farah Amod
