Anyone can file a health information privacy or security complaint. Your complaint must:
HIPAA Prohibits Retaliation
Under HIPAA an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.
Open the OCR Complaint Portal and select the type of complaint you would like to file. Complete as much information as possible, including:
You will then need to electronically sign the complaint and complete the consent form. After completing the consent form you will be able to print out a copy of your complaint to keep for your records
File a Complaint Using the Health Information Privacy Complaint Form Package
Open and fill out the Health Information Privacy Complaint Form Package in PDF format. You will need Adobe Reader software to fill out the complaint and consent forms. You may either:
File A Complaint Without Using Our Health Information Privacy Complaint Package
If you prefer, you may submit a written complaint in your own format by either:
Be sure to include:
If you are filing a complaint on someone’s behalf, also provide the name of the person on whose behalf you are filing.
You may also include:
You may file a Security Rule complaint electronically via the OCR Complaint Portal, or using our Health Information Privacy Complaint Package.
If you mail or fax the complaint, be sure to send it to the appropriate OCR regional office based on where the alleged violation took place. OCR has ten regional offices, and each regional office covers specific states. Send your complaint to the attention of the OCR Regional Manager. You do not need to sign the complaint and consent forms when you submit them by e-mail because submission by e-mail represents your signature.
Before You File a Complaint
Are you filing a complaint against an entity that is required by law to comply with the Privacy and Security Rules?
Not all entities are required to comply with the Privacy and Security Rules. OCR can only investigate the covered entities that must comply with these rules. Covered entities include most:
Does your complaint describe an activity that might violate the Privacy or Security Rule?
If you are not sure, go ahead and file your complaint. But, OCR can only investigate complaints that allege an action or omission that fails to comply with the Privacy or Security Rules. For example, a doctor can send your medical test results to another doctor without your permission if the doctor needs the information to treat you; this is not a violation of the Privacy Rule, so we would not investigate a complaint that described this situation.
Did the activity occur after the Privacy and Security Rules took effect?
OCR cannot investigate Privacy Rule complaints that occurred before April 14, 2003 because compliance with the Privacy Rule was not required until that date. Similarly, OCR cannot investigate Security Rule complaints that occurred before April 20, 2005.
Are you willing to give OCR your name and contact information?
OCR does not investigate complaints filed without a name and contact information on the complaint. If you want OCR to keep your name and contact information confidential during the investigation, you may specify that on the consent form.