How to Complain About a HIPAA Violation

It is not always clear how individuals can complain about a HIPAA violation when personal health information has been used or disclosed impermissibly by a Covered Entity or Business Associate. This guide offers advice about who to complain to and what should be included in your complaint.

As a patient of a healthcare facility or as a member of a health plan, you should have received a Notice of Privacy Practices when you first registered as a patient or enrolled in the health plan. The Notice of Privacy Practices should explain your rights under HIPAA and how your individually identifiable health information can be used or disclosed.

The Notice of Privacy Practices should also explain how to complain about a HIPAA violation if you feel your rights under HIPAA have been violated or if you believe your health information has been used or disclosed for purposes other than those mentioned. It is not necessary to have proof of the violation, use, or disclosure in order to make a complaint.

Under §164.520 of the Privacy Rule, the Notice of Privacy Practices must contain a contact phone number and email address for the organization´s Privacy Officer and the address, phone number, and website for HHS´ Office for Civil Rights. In large and affiliated organizations, it is possible the Notice will include contact details for more than one Privacy Officer.

Who Do You Complain To About a HIPAA Violation?

This can depend on the nature of the violation, who is responsible for the violation, and your relationship with the healthcare facility or health plan. It may also depend on what you want the outcome of any investigation or enforcement action to be. Additionally, although there is no private right of action under HIPAA, some state laws allow you to seek damages.

Therefore, if a conversation you had with a medical professional was overheard by another patient, but you do not believe the information will be repeated and you have a good relationship with the healthcare facility, you might just want to complain about a HIPAA violation to the facility´s Privacy Officer to alert them to the violation and leave it at that.

However, if personal information you provided to your health plan appears on the Internet, this indicates there has been a data breach. Under the Breach Notification Rule, you should have been notified of the breach by the health plan. If you have been notified, no further action is required because the breach will also have been reported to HHS´ Office for Civil Rights.

If you have not been notified, not only is the health plan (or a Business Associate) guilty of failing to secure your personal information, but it is also in violation of the Breach Notification Rule. In this scenario, you should complain about a HIPAA violation directly to HHS´ Office for Civil Rights. You may, if you wish, also complain to the health plan´s Privacy Officer.

If you intend to seek damages, you will need to complain about a HIPAA violation to both HHS´ Office for Civil Rights and your state´s Attorney General. While not all states have privacy laws that permit a private right of action for every type of impermissible disclosure, you may be able to seek damages for a disclosure of specific information – for example, biometric information.

How Do You Complain About a HIPAA Violation?

This depends on who you are complaining to about a HIPAA violation. If you are making a complaint only to a healthcare facility or health plan, you usually have the options of calling and speaking with the Privacy Officer or sending them an email. If the complaint is more serious than (say) an overheard conversation, it is better to use a secure email service so you have a permanent record of the complaint, and to request a read receipt so you know the email has been delivered and opened.

If you are filing a HIPAA complaint with HHS´ Office for Civil Rights, the Office for Civil Rights provides a toll-free phone number for its Customer Response Center (800 368-1019). However, many staff are currently working remotely and it is better to complete and print the Health Information Privacy & Security Complaint Form (PDF) before faxing the form or emailing it to OCRComplaint@hhs.gov – again using a secure email service. Alternatively, you can use the OCR Complaints Portal.

The OCR Complaints Portal isn´t particularly easy to use, and you will need to have already uploaded to your computer any documents you wish to use in support of your complaint. Nonetheless, the Office for Civil Rights strongly encourages complainants to use the portal due to a lack of onsite staff that can attend to phone, fax, and email enquiries. Consequently, if you want to get a faster response and resolution when you complain about a HIPAA violation, it is better to use the portal.

With regards to making a complaint about a HIPAA violation to a State Attorney General, you will need to search for your State Attorney General´s website and click on the “File a Complaint” button. Some websites have an online portal similar to the OCR Complaints Portal, while others require you to download and complete a form. When you complete the form, you should mention that you have also filed a HIPAA complaint with HHS´ Office for Civil Rights to avoid duplicating any investigation.

What to Include When You File a HIPAA Complaint

Whether you file a HIPAA complaint with a healthcare facility, health plan, HHS´ Office for Civil Rights, or State Attorney General, the information to include is always the same:

• Your name (anonymous complaints are not investigated)
• Your phone number in case there is a query about the complaint
• Your address and email address (if you have an email address)
• The name and address of the organization you are complaining about
• The date(s) on which the impermissible use(s) or disclosure(s) occurred
• A description of why you feel your rights under HIPAA have been violated
• Any other information you feel is relevant to your complaint.

If you file a HIPAA complaint with HHS´ Office for Civil Rights or State Attorney General, you will need to consent to your information being shared with the organization you are complaining about and any other agencies that may become involved in an investigation. For example, if HHS´ Office for Civil Rights believes that an impermissible disclosure of health information is attributable to criminal activity, they will refer the complaint to the Department of Justice.

Under §160.316 of the HIPAA Administrative Simplification provisions, organizations are prohibited from threatening, intimidating, coercing, harassing, or discriminating against you when you file a HIPAA complaint. If you experience any negative reaction, you should report it to HHS´ Office for Civil Rights – even if your original complaint was only made to a healthcare facility or health plan – because a negative reaction is also a violation of HIPAA about which you have the right to complain.