You know that a covered entity has violated or tampered with your PHI under HIPAA. But what are you supposed to do next? To redress your grievances, you have to file a complaint with the Office for Civil Rights (OCR). OCR is the authority entitled to receive and investigate complaints against covered entities related to the Privacy Rule.
The complaints to the Office for Civil Rights must:
1. Be filed in writing, either on paper or electronically;
2. Name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable requirements of the Privacy Rule;
3. It must be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show “good cause.”
The violation for which the complaint is filed must have occurred on or after April 14, 2003 (on or after April 14, 2005 for small health plans), for OCR to have authority to investigate.
OCR has ten regional offices, and each regional office covers certain states. Complaints should be sent to the attention off the appropriate OCR Regional Manager.
You can submit your complaint in any written format but the complaint should include the following information:
1. Your name, full address, home and work telephone numbers, email address.
2. If you are filing a complaint on someone’s behalf, also provide the name of the person on whose behalf you are filing.
3. Name, full address and phone of the person, agency or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy Rule.
4. Briefly describe what happened. How, why, and when do believe your (or someone else’s) health information privacy rights were violated, or the Privacy Rule otherwise was violated?
5. Any other relevant information.
The Privacy Rule prohibits the alleged violating party from taking retaliatory action against anyone for filing a complaint with the Office for Civil Rights. You should notify OCR immediately in the event of any retaliatory action.
