If you believe your private health information has been mishandled or exposed, you have the right to file a HIPAA complaint and hold the responsible party accountable.
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to protect sensitive patient data, and when those protections are violated, individuals and organizations can take action by filing a formal complaint.
These complaints are typically investigated by the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS).
In this article, we’ll walk you through:
- Who can file a HIPAA complaint
- What qualifies as a HIPAA violation
- Where and how to file the complaint
- What happens after the complaint is submitted
Whether you’re a patient, healthcare worker, or third-party vendor, understanding the HIPAA complaint process is crucial for protecting your rights and maintaining compliance. Let’s dive in.
HIPAA: Background Information
Before we dive into the complaint process, it’s helpful to understand what HIPAA protects and how its rules are enforced.
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 to safeguard patients’ private medical information, known as protected health information (PHI).
As healthcare providers began using digital records, the need to protect this sensitive data became even more critical.
Over the years, HIPAA has evolved to include specific rules that address privacy, security, and enforcement:
- The Privacy Rule defines what counts as PHI and how it should be handled.
- The Security Rule sets safeguards for electronic PHI (ePHI).
- The Breach Notification Rule requires reporting any unauthorized access or disclosure.
- The Enforcement Rule outlines how violations are investigated and penalized.
- The HITECH Act strengthened penalties and emphasized breach reporting.
These rules are the backbone of HIPAA enforcement, and they’re also what support the HIPAA complaint process.
If a covered entity (like a hospital or insurance provider) violates these rules, individuals have the right to file a HIPAA complaint with the Office for Civil Rights (OCR). What is HIPAA?
How to File a HIPAA Complaint with the Office for Civil Rights (OCR)
To be accepted and investigated by the Office for Civil Rights (OCR), a HIPAA complaint must meet three core requirements. Here’s what you’ll need before you submit:
1. File Through an Approved Method
You can file a HIPAA complaint through any of the following channels:
- Online via the OCR Complaint Portal
- By mail
- By fax
- By email
2. Submit Within the 180-Day Deadline
Your complaint must be filed within 180 days of when you first became aware of the violation. If you’re filing late, you’ll need to provide a valid reason (“good cause”) for the delay. OCR may accept the complaint if the reason is justified.
3. Identify the Entity and Describe the Violation
Your complaint must include:
- The name of the covered entity or business associate involved
- A clear description of the HIPAA violation, including what happened and when
- The specific rule violated (Privacy, Security, or Breach Notification Rule)
If your complaint meets all three criteria, OCR may open a formal investigation and contact the entity in question for a response.
What Happens After a HIPAA Complaint is Investigated
What happens if you violate HIPAA?
Filing a HIPAA complaint can result in a few possible outcomes, depending on whether the violation is valid and how the covered entity responds.
Here’s what you can expect from the HIPAA complaint process handled by the Office for Civil Rights (OCR):
1. The Complaint Is Dismissed
Your complaint may be closed without investigation if:
- It falls outside the 180-day filing window
- It doesn’t involve a covered entity or business associate
- No violation of HIPAA’s Privacy, Security, or Breach Notification Rules occurred
Example: Complaints against employers or schools usually fall outside HIPAA’s scope, as they’re not covered entities.
2. Informal Resolution
If OCR determines a violation did occur, they will likely begin with informal remediation, such as:
- Voluntary compliance from the entity
- A corrective action plan to fix the issue
- A resolution agreement outlining steps the organization must follow
These resolutions are the most common outcome of a HIPAA complaint. Most organizations work quickly to comply once notified by OCR.
3. Criminal Referral
If the violation involves intentional misuse of PHI or criminal negligence, OCR may refer the case to the Department of Justice (DOJ) for potential prosecution.
4. Civil Money Penalties (CMPs)
If a covered entity refuses to cooperate or repeatedly violates HIPAA, OCR may impose civil money penalties, which can be significant:
- CMPs can reach up to $50,000 per violation, with an annual cap of $1.5 million
- Example: In 2010, Cignet Health was fined $4.3 million for refusing to provide patients access to their medical records
Final Thoughts: How to File a HIPAA Complaint the Right Way
Filing a HIPAA complaint is a powerful way to uphold the privacy and protection of personal health information.
Whether you’re a patient, employee, or healthcare partner, understanding how the HIPAA complaint process works is essential to holding organizations accountable.
Here’s a quick recap of the most important points:
- Complaints must be filed within 180 days of the violation (unless good cause is shown).
- The complaint must involve a covered entity or business associate that violated HIPAA’s Privacy or Security Rule.
- You must provide the name of the entity and detailed information about the alleged violation.
- HIPAA whistleblower protections exist to guard against retaliation when reporting a violation.
- Once accepted, the Office for Civil Rights (OCR) will investigate, attempt informal resolution, and, if necessary, issue civil money penalties.
Reminder: Not all entities fall under HIPAA (like employers or schools), so check first before you file.
Need Help With HIPAA Compliance?
Whether you’re trying to file a HIPAA complaint or simply want to avoid one being filed against your organization, RSI Security is here to help.
We specialize in:
- Risk analysis and gap assessments
- HIPAA Privacy and Security Rule compliance
- Policy development and training
Protect your organization from costly HIPAA violations, download our HIPAA Checklist today to ensure you’re fully compliant
Download Our HIPAA Checklist