How to File a Health Information Privacy or Security Complaint

ByCompareMedCosts

Filing a health information privacy or security complaint is a protected right under the Health Insurance Portability and Accountability Act (HIPAA). This process allows any individual to report concerns regarding the privacy or security of their health information. The key components involved in filing such a complaint include completing the required forms, providing as much detail as possible, and electronically signing and consenting to the process. The Office for Civil Rights (OCR) encourages the use of its online portal for faster and more efficient complaint processing. If you are considering filing a complaint, request an itemized estimate of any associated legal or administrative fees, and maintain copies of all submitted documents for your records.

Cost Breakdown

  • Filing a complaint with OCR is free—there are no charges for submitting your health information privacy or security complaint.
  • If you choose to consult an attorney or patient advocate, those services may incur fees; request itemized estimates if seeking professional assistance.
  • Administrative costs (copying, mailing, etc.) are minimal if using the online portal.

Associated Costs

  • No cost to file directly with OCR.
  • Potential costs if you hire legal counsel or require certified copies of records.
  • Minimal expenses for printing documents if submitting by mail.

Insurance & Payment Advice

  • Insurance does not cover the process of filing privacy or security complaints, as this is a regulatory rather than medical process.
  • If the privacy breach results in identity theft or financial loss, consult your insurance provider regarding possible coverage or support services.

Tips for Filing a Complaint

  • Gather all relevant information before beginning the complaint process.
  • Use the OCR online portal for faster response times.
  • Keep copies of all forms and correspondence for your records.
  • If you experience retaliation, report it to OCR immediately as this is prohibited under HIPAA.

Frequently Asked Questions

  • Is there a fee to file a HIPAA privacy or security complaint? No, there is no fee to file a complaint with the Office for Civil Rights (OCR).
  • Can anyone file a health information privacy complaint? Yes, anyone—including patients, family members, or advocates—can file a complaint if they believe their privacy rights have been violated.
  • What information do I need to include in my complaint? Include as much detail as possible, such as the name of the entity, a description of the incident, and relevant dates.
  • How do I file a complaint online? Access the OCR Complaint Portal, select your complaint type, complete the required fields, electronically sign, and submit.
  • Can I file a complaint by mail? Yes, you can file by mail, but online submission is recommended for faster processing due to limited on-site personnel.
  • What happens after I file a complaint? OCR will review your complaint and may contact you for additional information or to inform you of the outcome.
  • Will filing a complaint affect my care? Entities are prohibited by HIPAA from retaliating against you for filing a complaint; your care should not be affected.
  • How long does it take to process a complaint? Processing times vary, but using the online portal may result in quicker handling.
  • Do I need a lawyer to file a complaint? No, legal representation is not required to file a complaint with OCR.
  • Should I keep copies of the complaint and correspondence? Yes, always keep copies for your records and future reference.
  • What should I do if I experience retaliation after filing? Immediately notify OCR, as retaliation is strictly prohibited under HIPAA.

Complaint Requirements

Anyone can file a health information privacy or security complaint. Your complaint must:

  • Be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal
  • Name the covered entity or business associate involved, and describe the acts or omissions, you believed violated the requirements of the Privacy, Security, or Breach Notification Rules
  • Be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show “good cause”

HIPAA Prohibits Retaliation

Under HIPAA an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.

File a Health Information Privacy Complaint Online 

Open the OCR Complaint Portal and select the type of complaint you would like to file. Complete as much information as possible, including:

  • Information about you, the complainant
  • Details of the complaint
  • Any additional information that might help OCR when reviewing your complaint

You will then need to electronically sign the complaint and complete the consent form. After completing the consent form you will be able to print out a copy of your complaint to keep for your records

File a Health Information Privacy Complaint in Writing

NOTE:  in accordance with the Office for Personnel Management’s and CDC’s guidelines on COVID 19, HHS personnel are teleworking.  OCR is committed to handling your complaint as quickly as possible.  However, for faster processing we strongly encourage you to use the OCR online portal to file complaints rather than filing via mail as our personnel on site is limited.

File a Complaint Using the Health Information Privacy Complaint Form Package

Open and fill out the Health Information Privacy Complaint Form Package – PDF in PDF format. You will need Adobe Reader software to fill out the complaint and consent forms. You may either: 

  • Print and mail the completed complaint and consent forms to:
    Centralized Case Management Operations
    U.S. Department of Health and Human Services
    200 Independence Avenue, S.W.
    Room 509F HHH Bldg.
    Washington, D.C. 20201
  • Email the completed complaint and consent forms to OCRComplaint@hhs.gov (Please note that communication by unencrypted email presents a risk that personally identifiable information contained in such an email, may be intercepted by unauthorized third parties)

File A Complaint Without Using Our Health Information Privacy Complaint Package

If you prefer, you may submit a written complaint in your own format by either:

  • Print and mail the completed complaint and consent forms to:
    Centralized Case Management Operations
    U.S. Department of Health and Human Services
    200 Independence Avenue, S.W.
    Room 509F HHH Bldg.
    Washington, D.C. 20201
  • Email to OCRComplaint@hhs.gov

Be sure to include:

  • Your name
  • Full address
  • Telephone numbers (include area code)
  • E-mail address (if available)
  • Name, full address and telephone number of the person, agency, or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy or Security Rule
  • Brief description of what happened. How, why, and when do you believe your (or someone else’s) health information privacy rights were violated, or how the Privacy or Security Rule otherwise was violated
  • Any other relevant information
  • Your signature and date of complaint

If you are filing a complaint on someone’s behalf, also provide the name of the person on whose behalf you are filing.

You may also include:

  • If you need special accommodations for us to communicate with you about this complaint
  • Contact information for someone who can help us reach you if we cannot reach you directly
  • If you have filed your complaint somewhere else and where you’ve filed

File a Security Rule Complaint 

You may file a Security Rule complaint electronically via the OCR Complaint Portal, or using our Health Information Privacy Complaint Package – PDF.

If you mail or fax the complaint, be sure to send it to the appropriate OCR regional office based on where the alleged violation took place. OCR has ten regional offices, and each regional office covers specific states. Send your complaint to the attention of the OCR Regional Manager. You do not need to sign the complaint and consent forms when you submit them by e-mail because submission by e-mail represents your signature.

Before You File a Complaint

Don’t waste time filing a complaint we can’t investigate. Review these questions before filing a health information privacy or security complaint with OCR:

Are you filing a complaint against an entity that is required by law to comply with the Privacy and Security Rules? 

Not all entities are required to comply with the Privacy and Security Rules. OCR can only investigate the covered entities that must comply with these rules. Covered entities include most:

  • Doctors
  • Clinics
  • Hospitals
  • Psychologists
  • Chiropractors
  • Nursing Homes
  • Pharmacies
  • Dentists
  • Health Insurance Companies
  • Company Health Plans
  • Medicare, Medicaid, and other government programs that pay for health care

Does your complaint describe an activity that might violate the Privacy or Security Rule?

If you are not sure, go ahead and file your complaint. But, OCR can only investigate complaints that allege an action or omission that fails to comply with the Privacy or Security Rules. For example, a doctor can send your medical test results to another doctor without your permission if the doctor needs the information to treat you; this is not a violation of the Privacy Rule, so we would not investigate a complaint that described this situation.

Did the activity occur after the Privacy and Security Rules took effect?

OCR cannot investigate Privacy Rule complaints that occurred before April 14, 2003 because compliance with the Privacy Rule was not required until that date. Similarly, OCR cannot investigate Security Rule complaints that occurred before April 20, 2005.

Are you willing to give OCR your name and contact information?

OCR does not investigate complaints filed without a name and contact information on the complaint. If you want OCR to keep your name and contact information confidential during the investigation, you may specify that on the consent form.