Filing a complaint with OCR – HIPAA

One can file a complaint with OCR if he/she believes that a covered entity violated health information privacy rights or committed another violation of the Privacy Rule. OCR can investigate complaints against covered entities related to the Privacy Rule. Under the Privacy Rule an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.

The rules which the complaint must follow are:

  • The complaint must be filed in writing, either on paper or electronically, by mail, fax, or email.
  • It should contain the name of the covered entity involved and describe the acts or omissions you believe violated the requirements of the Privacy Rule.
  • The complaint must be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show “good cause.”

If you mail or fax the complaint, be sure to send it to the appropriate OCR regional office based on where the alleged violation took place. OCR has ten regional offices, and each regional office covers specific states. Send your complaint to the attention of the OCR Regional Manager. There is no need to sign the complaint and consent forms if sent by email because submission by email represents your signature.