Reporting Health Information Privacy Concerns to U.S. Department of Health & Human Services (HHS.gov)
How To File a Health Privacy Complaint
If you believe that a covered entity or business associate violated your (or someone else's) health information privacy rights or committed another violation of the Privacy, Security or Breach Notification Rules, you may file a complaint with OCR. OCR can investigate complaints against covered entities and their business associates.
COVERED ENTITIES and BUSINESS ASSOCIATES - A covered entity is a health plan, health care clearinghouse, and any health care provider that conducts certain health care transactions electronically. A business associate is a person or entity that performs functions on behalf of, or provides services to, a covered entity that involve access to protected health information. For more information, please review our Understanding Health Information Privacy section or look at our responses to Frequently Asked Questions (FAQs) on our web site.
COMPLAINT REQUIREMENTS - Your complaint must:
- Be filed in writing, either electronically via the OCR Complaint Portal, or on paper by mail, fax, or e-mail;
- Name the covered entity or business associate involved and describe the acts or omissions you believe violated the requirements of the Privacy, Security, or Breach Notification Rules; and
- Be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show "good cause."
ANYONE CAN FILE! - Anyone can file a complaint alleging a violation of the Privacy, Security or Breach Notification Rules. We recommend that you use theOCR Complaint Portal or the OCR Health Information Privacy Complaint Form Package. You can also request a copy of this form from an OCR regional office. If you need help filing a complaint or have a question about the complaint or consent forms, please e-mail OCR at OCRComplaint@hhs.gov.
HIPAA PROHIBITS RETALIATION - Under HIPAA an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.
HOW TO SUBMIT YOUR COMPLAINT - To submit a complaint, please use one of the following methods.
- File your complaint electronically via the OCR Complaint Portal
- File a Complaint Using Our Health Information Privacy Complaint Package
- File a Complaint Without Using Our Health Information Privacy Complaint Package
- File a Security Rule Complaint
If you mail or fax the complaint, be sure to send it to the appropriate OCR regional office based on where the alleged violation took place. OCR has ten regional offices, and each regional office covers specific states. Send your complaint to the attention of the OCR Regional Manager. You do not need to sign the complaint and consent forms when you submit them by e-mail because submission by e-mail represents your signature.
How to File a Patient Safety Confidentiality Complaint
OCR enforces the confidentiality provisions of the Patient Safety and
Quality Improvement Act of 2005 (Patient Safety Act) and
the Patient Safety
and Quality Improvement Rule (Patient Safety Rule). The Patient Safety Rule
went into effect on January 19, 2009. The Patient Safety Act and Rule
establish a voluntary system for Patient Safety Organizations (PSOs) to
aggregate and analyze data they receive from health care providers regarding
medical errors and other patient safety events so as to improve patient
safety and the provision of quality health care. To encourage provider
reporting, the Patient Safety Act and Rule include Federal privilege and
confidentiality protections for patient safety work product (PSWP).
Information submitted to, and developed by, these PSOs is protected as PSWP.
If you believe that a person or organization impermissibly disclosed PSWP, you may file a complaint with OCR. OCR is responsible for the investigation and enforcement of the confidentiality provisions of the Patient Safety Rule. OCR will investigate complaints that allege potential violations of the Rule. To the extent practicable, OCR will provide technical assistance and seek informal resolution of complaints involving the impermissible disclosure of PSWP through voluntary compliance from the responsible person, entity or organization. When OCR is unable to achieve an informal resolution of an indicated violation through such voluntary compliance, the Secretary may impose a CMP of up to $11,000 for each knowing and reckless disclosure of PSWP that is in violation of the confidentiality provisions.
PSWP IS PROTECTED - PSWP is any information which (1) is assembled or developed by a health care provider for reporting to a PSO that is listed by the HHS Agency for Healthcare Research and Quality (AHRQ) and is documented as being within the provider's patient safety evaluation system for reporting to a PSO; (2) is developed by a PSO for the conduct of patient safety activities; or (3) identifies or constitutes the deliberations, or analysis of, or identifies the fact of reporting pursuant to a patient safety evaluation system.
PSWP may identify patients, health care providers and individuals that report medical errors or other patient safety events. This PSWP is confidential and may only be disclosed in certain very limited situations. See the Patient Safety Rule for a full description of the permissible disclosures. PSWP remains protected regardless of who holds the information. For more information about the Patient Safety Act and Patient Safety Rule, please review our Understanding Patient Safety Confidentiality section on our web site, or the visit the Agency for Healthcare Research and Quality's web site.
COMPLAINT REQUIREMENTS ' Your complaint must:
- Be filed in writing: sent by mail, fax or e-mail;
- Name the person that is the subject of the complaint and describe the act or acts believed to be in violation of the Patient Safety Act requirement to keep PSWP confidential; and,
- Be filed within 180 days of when you knew or should have known that the act complained of occurred. OCR may waive the 180-day time limit for 'good cause" shown.
ANYONE CAN FILE! - Anyone can file a complaint with OCR. We recommend
that you use the OCR Patient
Safety Confidentiality Complaint Form and Consent
Form Package. You can request a copy of this form from
headquarters. Anyone can file a complaint with OCR. We
recommend that you use the OCR Patient Safety Confidentiality Complaint Form
and Consent Form Package. You can request a copy of this form from OCR
headquarters. If you need help filing a complaint or have a question about
the complaint package, please e-mail OCR at OCRMail@hhs.gov.
HOW TO SUBMIT YOUR COMPLAINT TO OCR -to submit a complaint to OCR, please use one of the following methods.
- File A Complaint Using the OCR Patient Safety Complaint Form
- If you choose not to use the OCR provided OCR Patient
Safety Confidentiality Complaint Form and Consent
Form Package, please provide the information specified below by
mail, fax, or e-mail to OCRComplaint@hhs.gov.
Be sure to include the following information in your written complaint:
1. Your name
2. Full address
3. Telephone numbers
4. E-mail address (if available)
5. If known, the name of the patient, provider or reporter whose information was allegedly disclosed.
6. Name, full address and phone (if known) of the person, agency or organization you believe impermissibly disclosed patient safety work product.
7. Briefly describe what happened. How, why, and when you believe a person impermissibly disclosed patient safety work product.
8. Any other relevant information.
9. Your signature and date of complaint
The following information is optional:
1. Do you need special accommodations for us to communicate with you about this complaint?
2. Who else can we call if we cannot reach you?
3. Have you filed your complaint with any other agency, person or entity? If so, where?
And please let us know about any suspicious calls or emails you receive. We look for patterns so that we can alert the authorities and victims to new scams, before it is too late!