The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") is a federal law that protects the privacy of patients' health information/records and mandates the enactment of security measures to protect patients' health information/records that are stored electronically. If you believe your health information has been been compromised in violation of HIPAA, you can file a complaint to report the violation.

Method 1
Method 1 of 3:

Reporting a HIPAA Violation

  1. 1
    Obtain the form package. The Office for Civil Rights ("OCR") of the U.S. Department of Health & Human Services provides an OCR Health Information Privacy Complaint Form Package on its website.[1] You will use this form to report a HIPAA violation by downloading it, completing it, and then submitting it to the appropriate entity.
  2. 2
    Read through the form package. The form package consists of eight pages.[2] Before you begin to fill out the form, you should take some time and read through the entirety of the form package. You will use the first two pages to actually report the HIPAA violation.
    • The third and fourth pages comprise a consent form, which you can fill out to authorize OCR to access your personal information while the office investigates your complaint.
    • The last four pages provide information on what OCR can do with your personal information, how it will be protected, and when it can be disclosed.
    Advertisement
  3. 3
    Provide identifying information. The top half of the first page of the complaint form requires you to provide information such that OCR can identify who is reporting the HIPAA violation. You will need to provide your name, phone number, street address, and e-mail address.[3]
    • If you are completing the form for someone else, check the relevant box and write in that person's name in the appropriate section.
  4. 4
    Provide information about the HIPAA violation. On the second half of the first page, you will need to detail the who, when, and what of the alleged HIPAA violation. You will need to provide the name and street address of the entity you believe committed the violation, and the date on which the violation occurred.[4] You will then need to briefly describe how the named entity violated your (or someone else's) rights under HIPAA.
    • When describing the nature of the violation, you should be as specific as possible. You don't need to use complex, legal language or reference the HIPAA statute itself. Simply write down the sequence of events you believe led to the violation, and then provide as much detail as you can about the violation and how it has affected you.
    • If you need additional space than that provided, you can attach additional pages.
  5. 5
    Provide optional information. The second page of the complaint form is completely optional.[5] This part of the form asks you to identify any special needs you might have that could affect communication with OCR, allows you to provide an additional contact if OCR cannot reach you directly to discuss your report, asks if you have filed your complaint anywhere else, and asks about race/ethnicity and how you heard about OCR.
    • Complete all, some, or none of this section as you wish.
  6. 6
    Sign and date the form. On the bottom of the first page, there is a space to sign and date the form.[6] You will need to do this before submitting it.
  7. 7
    Complete the Complainant Consent Form. The third and fourth pages of the form package are a consent form that must be submitted along with the complaint form you just completed.[7] Read through the form and decide if you wish to consent to OCR accessing and revealing your personal information to certain entities during the course of its investigation. Then, check the appropriate box with regards to your consent decision, write in your address and telephone number, and sign and date the form.
    • Consent is entirely voluntary, but OCR warns that failure to provide consent can impede its investigation and ultimately close it.[8]
  8. 8
    Submit your complaint. After you have completed both the complaint and consent forms (again, the first four pages of the form package), you have several options for submitting your complaint to OCR:[9]
    • You can print out the completed forms and either mail or fax them to the appropriate regional OCR office (the OCR office in the region where the violation occurred). OCR provides a list of contact information for its regional offices online.
    • You can e-mail the completed forms to OCR at OCRComplaint@hhs.gov.
  9. Advertisement
Method 2
Method 2 of 3:

Using Alternative Methods to Report HIPAA Violations

  1. 1
    Submit a written complaint. If you don't want to use the official form package OCR provides on its website to report a HIPAA violation, you can also just write out a complaint in your own format. You will then submit the written complaint in the manner you would submit the official form (by mail or fax to the relevant regional office or by e-mail).[10] You are required to include the following information in your written complaint:[11]
    • Your name, street address, telephone number, and e-mail address.
    • The name, street address, and telephone number of the entity you believe committed the violation.
    • A brief description of the violation (specifically: the how, why, and when of the violation).
    • Your signature and the date of the complaint.
    • If you are filing the complaint on behalf of another person, you must include that person's name as well.
  2. 2
    Submit a complaint online. You can also file a complaint electronically using the OCR Complaint Portal.[12] Open the portal, select the type of complaint you wish to make, and complete the questions as they are presented to you. You will provide identifying information, detail the nature of your complaint, and provide other information that could assist OCR in investigating/reviewing your complaint.[13] Then simply click the button to submit your complaint.
    • You will be given the option to print out a copy of your complaint.
  3. Advertisement
Method 3
Method 3 of 3:

Knowing When to Report a HIPAA Violation

  1. 1
    File a complaint against a "covered entity." HIPAA does not require everyone to comply with its rules. Only those entities that HIPAA considers a "covered entity" are capable of such a violation. "Covered entities" include healthcare providers, health plans, and healthcare clearinghouses.[14] The following entities are generally required to comply with HIPAA, and can therefore be investigated for a violation by OCR:[15]
    • Doctors, psychologists, chiropractors, dentists.
    • Hospitals, clinics, nursing homes, pharmacies.
    • Health-insurance companies, company health plans.
    • Government healthcare programs such as Medicaid or Medicare.
  2. 2
    Know who you cannot report. Just as there are certain entities that are covered by HIPAA's provisions, there are those that are not bound by its rules and therefore incapable of violating them. OCR will not investigate a complaint filed against the following entities:[16]
    • Employers, life insurers, workers' compensation carriers.
    • Many schools/school districts.
    • Many state agencies, such as those dealing with child-protective services.
    • Many law-enforcement agencies.
    • Many municipal offices.
  3. 3
    Know what information is protected. The HIPAA Privacy Rule protects your privacy by regulating who is allowed to see or receive your healthcare information. The HIPAA Security Rule requires any covered entity that stores your healthcare information in electronic form to have taken the appropriate security measures to protect that information from unauthorized access.[17] The following information is protected under HIPAA:[18]
    • Information placed into your medical record by a healthcare provider.
    • Conversations your doctor has with other healthcare professionals regarding your care or treatment.
    • Billing information at your clinic and personal information held by your health insurer.
  4. 4
    Know what covered entities are required to do to protect your information. HIPAA requires covered entities to put in place certain measures and take certain action to ensure that your healthcare information is protected from unauthorized access or disclosure. Specifically, such an entity must do the following:[19] [20]
    • Establish safeguards to protect your health information and not use/disclose your health information in an improper way.
    • Limit use and disclosure of your health information to only that which is necessary.
    • Establish procedures to limit access to your health information.
    • Train employees on how to protect your health information.
  5. 5
    Know your rights. HIPAA also gives each individual certain rights over their own healthcare information. Any covered entity must respect and comply with these rights. These rights include:[21] [22] [23]
    • Asking to view/obtain a copy of your health records.
    • Having your health records corrected as appropriate.
    • Receiving a notice regarding how your health information is used/shared, and getting a report detailing when/why your health information was used/shared.
    • Deciding if your health information can be shared for other purposes, such as marketing.
  6. Advertisement

Warnings

  • You must file a complaint reporting a HIPAA violation within 180 days of when you knew the violation occurred.[25]
    ⧼thumbs_response⧽
  • The alleged privacy violation must have occurred either on or after April 14, 2003, in order for OCR to be able to investigate the violation. An alleged security violation must have occurred on or after April 20, 2005.[26]
    ⧼thumbs_response⧽
Advertisement

About This Article

Clinton M. Sandvick, JD, PhD
Co-authored by:
Doctor of Law, University of Wisconsin-Madison
This article was co-authored by Clinton M. Sandvick, JD, PhD. Clinton M. Sandvick worked as a civil litigator in California for over 7 years. He received his JD from the University of Wisconsin-Madison in 1998 and his PhD in American History from the University of Oregon in 2013. This article has been viewed 122,023 times.
27 votes - 78%
Co-authors: 9
Updated: January 19, 2023
Views: 122,023
Article SummaryX

If you believe your health information has been compromised in violation of HIPAA, you can file a complaint against the person or organization. You can generally file a complaint against healthcare professionals and administrators, health insurance companies, and government healthcare programs that violate the HIPAA law. Download and print a privacy complaint form package from the Office of Civil Rights website. Make sure to carefully read and complete all 8 pages of the form so it can be processed properly. Once you’ve finished and signed your forms, mail them to the provided address. Alternatively, you can email your form to the address on it if you’d rather fill it out on a computer. For more advice from our Legal co-author, including how to submit a hand-written complaint, read on.

Did this summary help you?
Advertisement