Skip Navigation

Before You File a Complaint with OCR...

Before filing a complaint with OCR, please consider the questions below.  We do not want you to spend time filing a complaint if we cannot investigate it.Family with children

1.  Are you filing a complaint against an entity that is required by law to comply with the Privacy and Security Rules? 

Not all entities are required to comply with the Privacy and Security Rules.  OCR can only investigate entities that must comply with these rules.  These covered entities include most health care providers, health plans, and health care clearinghouses.  OCR cannot investigate complaints against entities that are not covered entities. 

Most of these are Covered Entities required to comply with the Privacy and Security Rules These are NOT covered entities and are NOT required to comply with the Privacy and Security Rules
  • Doctors
  • Clinics
  • Hospitals
  • Psychologists
  • Chiropractors
  • Nursing Homes
  • Pharmacies
  • Dentists
  • Health Insurance Companies
  • Company Health Plans
  • Medicare, Medicaid, and other government programs that pay for health care
 
  • Employers
  • Life Insurers
  • Workers compensation carriers
  • Many schools and school districts
  • Many state agencies, such as child protective services agencies
  • Many law enforcement agencies
  • Many municipal offices

2.  Does your complaint describe an activity that might violate the Privacy or Security Rule?

If you are not sure, go ahead and file your complaint.  But, OCR can only investigate complaints that allege an action or omission that fails to comply with the Privacy or Security Rules.  For example, a doctor can send your medical test results to another doctor without your permission if the doctor needs the information to treat you; this is not a violation of the Privacy Rule, so we would not investigate a complaint that described this situation.  Please visit our Understanding HIPAA Privacy section to find out more about how the Privacy Rule works.

3.  Did the activity occur after the Privacy and Security Rules took effect?

OCR cannot investigate Privacy Rule complaints that occurred before April 14, 2003 because compliance with the Privacy Rule was not required until that date.  Similarly, OCR cannot investigate Security Rule complaints that occurred before April 20, 2005.

4.  Are you willing to give OCR your name and contact information?  OCR does not investigate complaints filed without a name and contact information on the complaint.  If you want OCR to keep your name and contact information confidential during the investigation, you may specify that on the consent form.

File a Health Information Privacy Complaint with OCR.

Back to Top