How To File a Complaint
If you believe that a covered entity violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy or Security Rule, you may file a complaint with OCR. OCR can investigate complaints against covered entities and their business associates.
COVERED ENTITIES and BUSINESS ASSOCIATES - A covered entity is a health plan, health care clearinghouse, and any health care provider that conducts certain health care transactions electronically. A business associate is a person or entity that creates, receives, maintains, or transmits protected health information for a covered entity. For more information, please review our Understanding Health Information Privacy section or look at our responses to Frequently Asked Questions (FAQs) on our web site.
COMPLAINT REQUIREMENTS - Your complaint must:
- Be filed in writing, either on paper or electronically, by mail, fax, or e-mail;
- Name the covered entity or business associate involved and describe the acts or omissions you believe violated the requirements of the Privacy, Security, or Breach Notification Rules; and
- Be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show "good cause."
ANYONE CAN FILE! - Anyone can file a complaint alleging a violation of the Privacy or Security Rule. We recommend that you use the OCR Health Information Privacy Complaint Form Package. You can also request a copy of this form from an OCR regional office. If you need help filing a complaint or have a question about the complaint or consent forms, please e-mail OCR at OCRMail@hhs.gov.
HIPAA PROHIBITS RETALIATION - Under HIPAA an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.
HOW TO SUBMIT YOUR COMPLAINT - To submit a complaint, please use one of the following methods.
If you mail or fax the complaint, be sure to send it to the appropriate OCR regional office based on where the alleged violation took place. OCR has ten regional offices, and each regional office covers specific states. Send your complaint to the attention of the OCR Regional Manager. You do not need to sign the complaint and consent forms when you submit them by e-mail because submission by e-mail represents your signature.
File A Complaint Using Our Health Information Privacy Complaint Package
File A Complaint Without Using Our Health Information Privacy Complaint Package
If you choose not to use the OCR Health Information Privacy Complaint Form Package, please provide the information specified below by either:
- mail or fax to the appropriate OCR regional office; or
- e-mail to OCRComplaint@hhs.gov.
If you prefer, you may submit a written complaint in your own format. Be sure to include the following information:
- Your name
- Full address
- Telephone numbers
- E-mail address (if available)
- Name, full address and telephone number of the person, agency or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy or Security Rule
- Brief description of what happened. How, why, and when do you believe your (or someone else’s) health information privacy rights were violated, or how the Privacy or Security Rule otherwise was violated
- Any other relevant information
- Your signature and date of complaint
If you are filing a complaint on someone’s behalf, also provide the name of the person on whose behalf you are filing.
The following information is optional:
- Do you need special accommodations for us to communicate with you about this complaint?
- Who else can we call if we cannot reach you?
- Have you filed your complaint somewhere else? If so, where?