The United States Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) provides an online HIPAA Violation Complaint Portal Assistant that allows individuals who believe their HIPAA rights have been violated to report the incident.
Users may input the following information using the Complaint Portal Assistant:
- When they learned of the most recent HIPAA violation
- Whom the complaint about the HIPAA violation is against
- Who the complaint about the HIPAA violation is about
- What the complaint is about
Depending upon what input is provided by the user, the Complaint Portal Assistant will offer recommended next steps.
For example, if the user ultimately indicates that the most recent HIPAA violation was the failure to timely provide copies of medical records, the OCR Portal Assistant offers a sample letter that patients may use to request the information.
On the other hand, if the user, say, inputs that the most recent HIPAA violation was within the last six months; then inputs the complaint is about a healthcare provider committing a HIPAA violation; then inputs that the provider accepts insurance; and then indicates the HIPAA violation was something other than failure to provide the patient with requested health information records, the user will be prompted to click on the link to the OCR HIPAA Violation Complaint Portal.
What Complaints Alleging a HIPAA Violation Can Be Filed Using the Portal?
Through the online OCR HIPAA Violation Complaint Portal, individuals may file a health information privacy complaint alleging a HIPAA violation, or may file a HIPAA Security Rule violation complaint alleging a HIPAA Violation based on the Security Rule.
As the Complaint Portal advises, if an individual believes a covered entity violated his or her health information privacy rights, or committed another HIPAA violation under the HIPAA Privacy, Security, or Breach Notification Rules, the individual may file a complaint with OCR.
The OCR HIPAA Violation Complaint Portal notes that the following are covered entities that must meet the requirements of the federal Privacy Security and Breach Notification Rules:
- Health plans
- Healthcare clearinghouses; and
- Healthcare providers that conduct a portion of their business electronically using a HIPAA covered transaction.
The Portal also notes that OCR can investigate complaints against covered entities and their business associates, and concludes by noting that an individual may file a complaint for himself or herself, for his or her organization, or for someone else.