Step-by-Step Guide to Filing a HIPAA Complaint in 2023

Understanding HIPAA Complaint Eligibility

If you believe your health information was mishandled, you can submit a written complaint to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). HIPAA applies to a HIPAA-covered entity (such as a doctor, hospital, health plan) or a business associate that handles protected health information on a covered entity’s behalf.

Qualifying issues include unauthorized disclosures, denial or delay of your right of access, inadequate safeguards, or late breach notices beyond the violation notification timeframe. Complaints generally must be filed within 180 days of when you knew of the violation; OCR may extend this for good cause.

HIPAA does not cover every privacy dispute. For example, some employment or app-related data may fall outside HIPAA. If your concern involves non-HIPAA actors, you may still have options under state health department guidelines or consumer protection laws.

Preparing Your Written Complaint

What to include

• Your name and contact information (and whether you prefer correspondence by mail, phone, or email).
• The name of the HIPAA-covered entity or business associate you believe violated HIPAA.
• Dates, locations, and a concise description of what happened and how it affected you.
• Any supporting documents (letters, portal messages, screenshots, notices) that illustrate the issue.
• If filing for someone else, your relationship to the individual and documentation showing your authority to act.

Tips for clarity and impact

• Stick to facts: who, what, when, where, and how the HIPAA rule was impacted.
• Map events to HIPAA concepts, such as improper disclosure, denial of access, inadequate security, or missed breach notices tied to the violation notification timeframe.
• State your desired outcome (e.g., access to records, correction, training, or corrective action).
• Keep copies of everything you submit for your records.

Methods for Submitting HIPAA Complaints

Online submission

The fastest route is the OCR Complaint Portal. You’ll create a submission, identify the HIPAA-covered entity or business associate, upload evidence, and certify that your statements are true. You can track status and provide additional details if OCR requests them.

Mail, fax, or email

You may also send a signed, written complaint to the appropriate OCR regional office by mail, fax, or email. Include your contact information, a detailed description, the names of involved parties, and any attachments. If you need accessibility or language assistance, tell OCR in your submission.

Privacy and identity requests

You can ask OCR not to share your identity with the entity. Understand that limiting disclosure may affect OCR’s ability to investigate. Provide a reliable way for OCR to reach you for follow-up.

What to Expect During the Complaint Review

Initial review and triage

OCR first checks jurisdiction, timeliness, and whether the facts describe a potential HIPAA violation. If your complaint fits, OCR may open an investigation, seek additional information, or provide technical assistance to achieve quick resolution.

Investigation process

OCR typically contacts the entity, requests records, and evaluates policies, safeguards, and response actions. Outcomes may include corrective action, voluntary compliance, resolution agreements, or, in some cases, civil monetary penalties.

Updates and timing

The complaint investigation timeline varies by complexity, volume of evidence, and cooperation of the parties. OCR provides written closure or resolution letters. Respond promptly to any OCR requests to keep your case moving.

Protecting Against Retaliation

Retaliation prohibition under HIPAA bars covered entities and business associates from punishing you for filing a complaint or exercising HIPAA rights. Retaliation can include firing, intimidation, service denial, or adverse billing actions tied to your complaint.

If you experience retaliation, document what happened, when, and who was involved, and notify OCR promptly. Keep all related emails, letters, and notes to substantiate your report.

State-Specific Complaint Procedures

Many states offer additional privacy protections and complaint paths. Review your state health department guidelines and, when applicable, the attorney general’s consumer protection process. State rules may have different deadlines and remedies that complement federal enforcement.

You can file with OCR and your state simultaneously when both have jurisdiction. Note any state case numbers in your OCR submission to help coordinate reviews.

Contacting the Office for Civil Rights

Before filing, you can contact OCR to ask whether your issue appears to fall under HIPAA and which submission method fits your needs. When unsure about the correct regional office, provide your state and the entity’s location so staff can direct you.

If you require accommodations or language services, request them at the outset. Clear, complete information speeds intake and helps OCR focus its review.

Conclusion

Confirm eligibility, assemble a precise written account, and submit via the OCR Complaint Portal or by mail, fax, or email. Cooperate during review, track your complaint investigation timeline, and assert your rights under the retaliation prohibition. Consider parallel state avenues guided by your state health department guidelines to fully protect your privacy.

FAQs.

How do I file a HIPAA complaint anonymously?

You can ask OCR to keep your identity confidential and limit disclosure to the entity. Provide a working email or phone so OCR can reach you; anonymous details can restrict investigation, so consider at least giving OCR direct contact information.

What information is required to file a HIPAA complaint?

Include your contact details, the name of the HIPAA-covered entity or business associate, dates and facts of the incident, and any supporting documents. State how HIPAA was impacted (e.g., improper disclosure or missed breach notice within the violation notification timeframe).

Can I file a HIPAA complaint after 180 days?

Complaints should be filed within 180 days of when you knew of the violation. OCR may grant an extension for good cause; explain the delay and attach any documentation that supports your request.

What happens after a HIPAA complaint is submitted?

OCR conducts intake, assesses jurisdiction and timeliness, and may open an investigation. You may receive requests for information, technical assistance offers, or a formal resolution. OCR will close the case with a written outcome once the review is complete.