Home Compliance StandardsHIPAA / Healthcare Industry How to File a HIPAA Complaint
HIPAA / Healthcare Industry

How to File a HIPAA Complaint

by RSI Security
written by RSI Security

If you believe your private health information has been mishandled or exposed, you have the right to file a HIPAA complaint and hold the responsible party accountable.

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to protect sensitive patient data, and when those protections are violated, individuals and organizations can take action by filing a formal complaint.

These complaints are typically investigated by the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS).

In this article, we’ll walk you through:

  • Who can file a HIPAA complaint
  • What qualifies as a HIPAA violation
  • Where and how to file the complaint
  • What happens after the complaint is submitted

Whether you’re a patient, healthcare worker, or third-party vendor, understanding the HIPAA complaint process is crucial for protecting your rights and maintaining compliance. Let’s dive in.

HIPAA: Background Information

Before we dive into the complaint process, it’s helpful to understand what HIPAA protects and how its rules are enforced.

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 to safeguard patients’ private medical information, known as protected health information (PHI).

As healthcare providers began using digital records, the need to protect this sensitive data became even more critical.

Over the years, HIPAA has evolved to include specific rules that address privacy, security, and enforcement:

  • The Privacy Rule defines what counts as PHI and how it should be handled.
  • The Security Rule sets safeguards for electronic PHI (ePHI).
  • The Breach Notification Rule requires reporting any unauthorized access or disclosure.
  • The Enforcement Rule outlines how violations are investigated and penalized.
  • The HITECH Act strengthened penalties and emphasized breach reporting.

These rules are the backbone of HIPAA enforcement, and they’re also what support the HIPAA complaint process.

If a covered entity (like a hospital or insurance provider) violates these rules, individuals have the right to file a HIPAA complaint with the Office for Civil Rights (OCR). What is HIPAA?

Assess your HIPAA compliance

How to File a HIPAA Complaint with the Office for Civil Rights (OCR)

To be accepted and investigated by the Office for Civil Rights (OCR), a HIPAA complaint must meet three core requirements. Here’s what you’ll need before you submit:

 1. File Through an Approved Method

You can file a HIPAA complaint through any of the following channels:

  • Online via the OCR Complaint Portal
  • By mail
  • By fax
  • By email

 2. Submit Within the 180-Day Deadline

Your complaint must be filed within 180 days of when you first became aware of the violation. If you’re filing late, you’ll need to provide a valid reason (“good cause”) for the delay. OCR may accept the complaint if the reason is justified.

 3. Identify the Entity and Describe the Violation

Your complaint must include:

  • The name of the covered entity or business associate involved
  • A clear description of the HIPAA violation, including what happened and when
  • The specific rule violated (Privacy, Security, or Breach Notification Rule)

If your complaint meets all three criteria, OCR may open a formal investigation and contact the entity in question for a response.

hipaa-doctor2

What Happens After a HIPAA Complaint is Investigated

What happens if you violate HIPAA?

Filing a HIPAA complaint can result in a few possible outcomes, depending on whether the violation is valid and how the covered entity responds.

Here’s what you can expect from the HIPAA complaint process handled by the Office for Civil Rights (OCR):

 1. The Complaint Is Dismissed

Your complaint may be closed without investigation if:

  • It falls outside the 180-day filing window
  • It doesn’t involve a covered entity or business associate
  • No violation of HIPAA’s Privacy, Security, or Breach Notification Rules occurred

Example: Complaints against employers or schools usually fall outside HIPAA’s scope, as they’re not covered entities.

 2. Informal Resolution

If OCR determines a violation did occur, they will likely begin with informal remediation, such as:

  • Voluntary compliance from the entity
  • A corrective action plan to fix the issue
  • A resolution agreement outlining steps the organization must follow

These resolutions are the most common outcome of a HIPAA complaint. Most organizations work quickly to comply once notified by OCR.

 3. Criminal Referral

If the violation involves intentional misuse of PHI or criminal negligence, OCR may refer the case to the Department of Justice (DOJ) for potential prosecution.

 4. Civil Money Penalties (CMPs)

If a covered entity refuses to cooperate or repeatedly violates HIPAA, OCR may impose civil money penalties, which can be significant:

  • CMPs can reach up to $50,000 per violation, with an annual cap of $1.5 million
  • Example: In 2010, Cignet Health was fined $4.3 million for refusing to provide patients access to their medical records

qsa

Final Thoughts: How to File a HIPAA Complaint the Right Way

Filing a HIPAA complaint is a powerful way to uphold the privacy and protection of personal health information.

Whether you’re a patient, employee, or healthcare partner, understanding how the HIPAA complaint process works is essential to holding organizations accountable.

Here’s a quick recap of the most important points:

  • Complaints must be filed within 180 days of the violation (unless good cause is shown).
  •  The complaint must involve a covered entity or business associate that violated HIPAA’s Privacy or Security Rule.
  •  You must provide the name of the entity and detailed information about the alleged violation.
  •  HIPAA whistleblower protections exist to guard against retaliation when reporting a violation.
  •  Once accepted, the Office for Civil Rights (OCR) will investigate, attempt informal resolution, and, if necessary, issue civil money penalties.

Reminder: Not all entities fall under HIPAA (like employers or schools), so check first before you file.

Need Help With HIPAA Compliance?

Whether you’re trying to file a HIPAA complaint or simply want to avoid one being filed against your organization, RSI Security is here to help.

We specialize in:

  • Risk analysis and gap assessments
  • HIPAA Privacy and Security Rule compliance
  • Policy development and training

Protect your organization from costly HIPAA violations, download our HIPAA Checklist today to ensure you’re fully compliant

Download Our HIPAA Checklist


0 comment
1
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

Safe Harbor Provisions Under HIPAA Explained

May 25, 2021

Guide to HIPAA Compliance Self Assessment

September 24, 2021

How to Meet All HIPAA Data Security Requirements...

March 29, 2024

Conducting a Thorough HIPAA Data Breach Analysis: A...

December 26, 2024

Medical Cyberattacks

December 18, 2017

How to Ensure the Security of Electronic Health...

March 9, 2022

What is a Disaster Recovery Plan for HIPAA...

August 11, 2022

Achieving HIPAA Compliance

March 10, 2024

Does HITECH Affect HIPAA?

August 22, 2019

Stay HIPAA Compliant with a Business Associate Agreement

May 24, 2024

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More