How can patients file complaints against a HIPAA entity?

by | May 27, 2023 | HIPAA News and Advice

Patients can file complaints against a HIPAA-covered entity by submitting a written complaint to the U.S. Department of Health and Human Services Office for Civil Rights (OCR), either through their online portal, by mail, or by fax, detailing the alleged violation of their privacy rights under HIPAA and providing relevant information about the entity in question, the nature of the complaint, and any supporting evidence, after which the OCR will review and investigate the complaint to ensure compliance with HIPAA regulations and take appropriate actions if violations are substantiated. Patients who believe their privacy rights under HIPAA have been violated by a covered entity have the recourse to file complaints through a formal process facilitated by the U.S. HHS OCR.

Reason for ComplaintPatients should have valid reasons for filing a complaint, such as unauthorized disclosure of PHI, denial of access to health records, breaches of confidentiality, or inadequate safeguards.
Initiating the ComplaintPatients can file complaints through the OCR’s online portal, or submit written complaints via mail or fax.
Providing Relevant InformationComplaints should detail the alleged violation, specify the involved HIPAA entity, and include any supporting evidence.
Complaint Review and InvestigationThe OCR reviews and investigates to determine the complaint’s validity and whether HIPAA regulations were breached.
Resolution and EnforcementConfirmed violations lead to corrective actions by entities, implementation of safeguards, or imposition of penalties when necessary.
Protection from RetaliationHIPAA safeguards patients against retaliation by covered entities for filing complaints.
Guidance from Healthcare ProfessionalsHealthcare professionals play a role in guiding patients through the process, offering support and information.
Maintaining DocumentationPatients should retain copies of complaints, OCR correspondence, and related documents.
Educational InitiativesHealthcare professionals can educate patients on HIPAA rights through materials, seminars, and discussions.
Internal Reporting by Healthcare ProfessionalsHealthcare professionals can address internal violations to ensure compliance within institutions.
Table: Process of Filing a Complaint Against a HIPAA-Covered Entity

The complaint filing process serves as an avenue for patients to assert their rights and contribute to the enforcement of HIPAA regulations. Understanding this process can greatly empower healthcare professionals to assist their patients in addressing potential privacy breaches. Patients may wish to file a complaint against a HIPAA-covered entity for various reasons. Common scenarios include unauthorized disclosures of PHI, inadequate safeguards to protect patient information, denial of access to personal health records, and breaches of confidentiality. Healthcare professionals must encourage patients to voice their concerns when they suspect that their privacy rights have been compromised, promoting trust and transparency within the healthcare system.

To initiate the complaint process, patients can access the OCR’s online portal, which offers a streamlined submission platform. Alternatively, patients can submit a written complaint via mail or fax. The complaint should clearly outline the nature of the alleged violation, provide details about the entity involved, and offer any available supporting evidence. Encouraging patients to provide as much relevant information as possible enhances the efficacy of the investigation process. Upon receiving a complaint, the OCR undertakes a rigorous review and investigation process to ascertain its legitimacy and the potential violation of HIPAA regulations. This process involves examining the information provided by the complainant and may also involve communicating with the covered entity in question. The OCR scrutinizes whether the entity in question complied with HIPAA’s standards and safeguards designed to protect patient privacy and data security.

After a thorough investigation, the OCR determines whether the complaint is substantiated and if HIPAA regulations have indeed been violated. If a violation is confirmed, the OCR may pursue resolution through various means. These include voluntary corrective action by the entity, the implementation of safeguards to prevent future breaches, and the imposition of civil monetary penalties in cases of egregious or repeated violations. Resolutions are designed to correct breaches, mitigate harm, and deter future non-compliance.

Healthcare professionals need to educate patients about their protection against retaliation for filing a complaint. HIPAA prohibits covered entities from taking adverse actions against individuals who assert their rights by filing complaints or participating in OCR investigations. Ensuring patients are aware of these protections can alleviate concerns about potential repercussions and embolden them to advocate for their privacy rights. Healthcare professionals have a role in guiding patients through the complaint process. By offering support, information, and guidance, professionals can empower patients to undergo the process effectively. When healthcare professionals witness potential violations within their own institutions, they should take appropriate steps to address these concerns internally to prevent future issues and ensure compliance.

Throughout the complaint process, maintaining accurate documentation is important. Healthcare professionals should encourage patients to retain copies of their complaints, communication with the OCR, and any related documentation. This documentation may be necessary if further action is required or if patients seek to understand the outcome of the investigation. Healthcare professionals can engage in educational initiatives to increase patient awareness of their rights under HIPAA. This can include distributing informational materials, conducting seminars, and incorporating privacy discussions into patient interactions. Empowering patients with knowledge not only helps them understand their rights but also promotes a collaborative approach to healthcare.


Patients can assert their privacy rights and contribute to the enforcement of HIPAA regulations when they go through the process of filing complaints against a HIPAA entity. Healthcare professionals serve as guides in this process, offering support, education, and empowerment. By keeping privacy and HIPAA compliance, professionals can help protect patient confidentiality and data security, strengthening patient trust in the healthcare system.

HIPAA Covered Entity Topics

What is the definition of a HIPAA-covered entity?
How does an organization determine if it is a HIPAA-covered entity?
Are all healthcare providers considered HIPAA-covered entities?
What obligations does an entity covered by HIPAA have concerning patient data?
Do insurance companies fall under the category of entities covered by HIPAA?
What is a covered entity under HIPAA?
Who would not be considered a covered entity under HIPAA?
Is an employer a covered entity under HIPAA?
Who should HIPAA complaints be directed to within the covered entity?
What are the penalties for a HIPAA-covered entity that breaches patient confidentiality?
Are health technology companies automatically considered HIPAA-covered entities?
What distinguishes a HIPAA entity from non-covered entities?
Can a HIPAA-covered entity share medical records with another such entity without patient consent?
How often should HIPAA-covered entities review their compliance procedures?
What types of training must employees of an entity covered by HIPAA undergo?
How do entities covered by HIPAA handle data breaches?
What is the role of a privacy officer in a HIPAA-covered entity?
Are dental practices considered HIPAA-covered entities?
Can a patient sue a HIPAA-covered entity for a data breach?
How are HIPAA-covered entities audited for compliance?
What are the reporting obligations of a HIPAA entity in case of data exposure?
How do third-party vendors interact with HIPAA-covered entities?
Can a business associate be considered a HIPAA-covered entity?
How should a HIPAA entity respond to unauthorized access to protected health information?
What security measures must entities covered by HIPAA implement?
Are there exemptions for certain types of entities covered by HIPAA?
How long must a HIPAA-covered entity retain medical records?
What patient rights are recognized by entities covered by HIPAA concerning their personal data?
Are telemedicine platforms typically classified as HIPAA-covered entities?
What distinguishes business associates from HIPAA-covered entities?
How can patients file complaints against a HIPAA entity?
What is the significance of the Notice of Privacy Practices for a HIPAA-covered entity?
How do international medical tourism practices intersect with HIPAA-covered entities?
Are there specific encryption standards that a HIPAA-covered entity must adhere to?
How do federal and state laws regarding patient privacy relate to HIPAA-covered entities?
How do HIPAA-covered entities handle minor patient information?
Are pharmacies and drug stores universally categorized as HIPAA-covered entities?
How can a HIPAA-covered entity ensure compliance when integrating new technologies?
What are the key differences between a HIPAA-covered entity and a HIPAA business associate?
Are research institutions always considered HIPAA-covered entities?
What are the boundaries of marketing activities for an entity covered by HIPAA?
Can cloud service providers be classified as HIPAA-covered entities?
How should a HIPAA entity prepare for an official audit or review?
What documentation is essential for a HIPAA-covered entity’s compliance processes?
How often do regulations impacting HIPAA-covered entities get updated?
Do educational institutions fall under the scope of entities covered by HIPAA?
How do mobile health apps and digital health tools intersect with HIPAA-covered entities?
What is the role of electronic health record systems in a HIPAA-covered entity?
How does the Health Information Exchange (HIE) network impact HIPAA-covered entities?
Are mental health professionals bound by the same rules as other HIPAA-covered entities?
How do mergers and acquisitions impact the status of a HIPAA-covered entity?
Can patients access all their health data held by a HIPAA-covered entity?
Are billing and invoicing data handled differently by entities covered by HIPAA than medical data?
3 Steps To HIPAA Compliance

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy