HHS OCR Review Under HIPAA

The Office for Civil Rights (OCR) is the agency within the U. S. Department of Health and Human Services (HHS) that investigates and reviews complaints about failures to protect the privacy of health information – complaints alleging violations of HIPAA rules. HHS OCR Review is conducted as part of OCR’s regulatory authority to enforce the HIPAA Security Rule (as well as the HIPAA Privacy Rule).

OCR reviews all complaints that it receives. Anyone can file a health information privacy or security complaint with the HHS Office of Civil Rights alleging a HIPAA violation. Complaints for HHS OCR Review may be filed in writing by mail, fax, email, or via the online OCR Complaint Portal.

What Does the HHS OCR Review Consist of?

Upon the HHS OCR review of a complaint, OCR may take additional action (including investigation, conducting hearings, and settlement activities). For OCR to take action, a complaint must meet the following conditions:

The alleged action must have taken place after the dates the Security Rule took effect.
Compliance with the Security Rule was not required before April 20, 2005.  Therefore, OCR cannot investigate complaints about actions that took place before this date.

HIPAA regulations contain what is known as an “effective date.” The effective date of a regulation may be a later date than the date on which the regulation is enacted (enactment date), but, generally, the effective date cannot be earlier than the enactment date. Setting an effective date after the enactment date gives individuals time to bring themselves into compliance with the regulation.

For example, the HIPAA Security Rule was first proposed on August 12, 1998. The Security Rule was enacted on February 20, 2003. Compliance with the HIPAA Security Rule, as noted above, became mandatory on April 20, 2005.

The complaint must be filed against an entity required to comply with the Security Rule.

Not all organizations are covered by the Security Rule. To be subject to the provisions of the Security Rule, an entity must be a covered entity (CE) or a business associate (BA). In addition, to be subject to the Security Rule, the covered entity or business associate must create, receive, maintain, or transmit electronic protected health information (ePHI).

The Security Rule specifically exempts certain organizations from its requirements. These organizations generally include the following entities: life insurers; employers; workers compensation carriers; many schools and school districts; many state agencies (such as child protective service agencies); many state and local law enforcement agencies; and many municipal offices. 

The complaint must allege an activity that, if proven true, would violate the Security Rule.

OCR’s power to investigate suspected wrongdoing is limited to those infractions specifically made unlawful under the Security Rule. The HHS OCR may not investigate and fine an entity that is engaging in what the Security Rule regards as lawful conduct.

For example, OCR may not investigate a complaint that alleges an entity “failed to comply with the Security Rule because it failed to implement administrative safeguards to render its written and oral communications secure.” This is because the standards and specifications of the Security Rule only apply to electronic protected health information (e-PHI) – not to written or oral communications.

The complaint must be filed within a specific time frame.

Complaints must be filed with the HHS OCR within 180 days of when the person submitting the complaint knew or should have known about the alleged violation of the Security Rule. Under the law, a person “should have known” about an alleged violation if a reasonable and prudent person exercising reasonable care and attention (that is, reasonable diligence, or due diligence), would have himself or herself discovered the violation in the same circumstances. This means that an individual who could have, within the 180 days, discovered a violation, easily, and with minimal effort and thought, must file the complaint in 180 days.

Under some circumstances, exercise of reasonable care and attention is insufficient to enable someone to discover a violation. One such circumstance is when a covered entity or business associate attempts to hide or to fraudulently conceal the fact of the violation, or evidence related to the violation. In this type of situation, the complaint must be filed within 180 days of when the fraud or concealment could have been reasonably discovered. In some instances, an individual exercising reasonable diligence may not become aware that fraud has occurred until the person literally learns of the consequences of that fraud (and from that, the person is able to reasonably deduce that fraud took place). In these instances, the filing must be made with HHS’s OCR within 180 days of learning of the consequences of the fraud.

There is an additional circumstance under which OCR may not hold a filer to the strict, 180-day limit. If a person submitting the complaint shows good cause for not submitting the complaint within the 180 day time frame, the 180-day requirement may be waived. What constitutes “good cause” is determined by the Secretary of Health and Human Services, in the exercise of his or her discretion.  One way a person may demonstrate “good cause” for a late filing is by the person’s making a showing that he or she was physically or mentally incapacitated during the 180-day time frame, and as such, filing was impossible.