The Complaint Process


Individuals who believe their Protected Health Information (PHI) has been breached can file a complaint with federal Office of Civil Rights (OCR). OCR may investigate complaints against covered entities and their business associates.  
Complaint Requirements
A complaint must:
  • Be filed in writing, either electronically via the OCR Complaint Portal, or on paper by mail or fax;
  • Name the covered entity or business associate involved and describe the acts or omissions believed to violate privacy, security, or breach notification rules; and,
  • Be filed within 180 days of knowing that the alleged act or omission occurred. OCR may extend the 180-day period.
 
Anyone Can File
OCR recommends that complaints be filed through its Complaint Portal or through its Health Information Privacy Complaint Form Package. Those needing help may email OCR at [email protected].  
HIPAA Prohibits Retaliation
Under HIPAA an entity cannot retaliate against a patient for filing a complaint.

Upcoming Events

10 Steps to Compliance