Skip to content

Making A Privacy Complaint

The Health Insurance Portability and Accountability Act (HIPAA) Rules apply to covered entities and business associates.

Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with its requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. 

If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate agreement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with HIPAA requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.

A covered entity is one of the following:
A Health Care Provider A Health Plan A Health Care Clearinghouse

This includes providers such as:

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies

...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

This includes:

  • Health insurance companies
  • HMOs
  • Company health plans
  • Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
 This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

 Organizations that are not governed by HIPAA privacy regulations:

  • Life insurers
  • Employers
  • Workers compensation carriers
  • Schools and school districts
  • State Agencies like Child Protective Services
  • Law enforcement
  • Government offices

How to File a Privacy Complaint with HAP

If you believe your privacy rights have been violated, you may file a complaint with us. Contact the Information Privacy & Security Office below or HAP’s Compliance Hotline at (877) 746-2501 (TTY: 711). You can stay anonymous.

HAP and HAP Empowered Plan Information Privacy & Security Office
One Ford Place
Detroit, MI 48202
Email: privacysecurity@hfhs.org

You may also notify the secretary of the U.S. Department of Health and Human Services of your complaint as indicated below. We will not take any action against you for filing a complaint.

Oversight responsibilities of the Office for Civil Rights (OCR) and how to submit complaints

The OCR is responsible for enforcing the HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164, Subparts A, C, and E). One of the ways that OCR carries out this responsibility is to investigate complaints filed with it. OCR may also conduct compliance reviews to determine if covered entities are in compliance. The OCR also performs education and outreach to foster compliance with requirements of the Privacy and Security Rules.

The OCR may only take action on certain complaints. If OCR accepts a complaint for investigation, OCR will notify the person who filed the complaint and the covered entity named in it. Then the complainant and the covered entity are asked to present information about the incident or problem described in the complaint. OCR may request specific information from each to get an understanding of the facts. Covered entities are required by law to cooperate with complaint investigations.

OCR reviews the information, or evidence, that it gathers in each case. In some cases, it may determine that the covered entity did not violate the requirements of the Privacy or Security Rule. If the evidence indicates that the covered entity was not in compliance, OCR will attempt to resolve the case with the covered entity by obtaining:

  • Voluntary compliance;
  • Corrective action; and/or
  • Resolution agreement.

Most Privacy and Security Rule investigations are concluded to the satisfaction of OCR through these types of resolutions. OCR notifies the person who filed the complaint and the covered entity in writing of the resolution result.

If the covered entity does not take action to resolve the matter in a way that is satisfactory, OCR may decide to impose civil money penalties on the covered entity. If penalties are imposed, the covered entity may request a hearing in which an HHS administrative law judge decides if the penalties are supported by the evidence in the case. Complainants do not receive a portion of penalties collected from covered entities; the penalties are deposited in the U.S. Treasury.

How to file a health information privacy complaint

  • You may file in writing by mail, fax, email or via the OCR Complaint Portal.
  • Name the covered entity or business associate involved, and describe the acts or omissions, you believed violated the requirements of the Privacy, Security, or Breach Notification Rules
  • Your complaint should be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show "good cause."

HIPAA prohibits retaliation

Under HIPAA an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.

How to file a health information privacy complaint online

Open the OCR Complaint Portal and select the type of complaint you would like to file. Complete as much information as possible, including:

  • Information about you, the complainant
  • Details of the complaint
  • Any additional information that might help OCR when reviewing your complaint

You will then need to electronically sign the complaint and complete the consent form. After completing the consent form you will be able to print out a copy of your complaint to keep for your records

How to file a health information privacy complaint in writing

Open and fill out the Health Information Privacy Complaint Form Package in PDF format. You will need Adobe Reader software to fill out the complaint and consent forms. You may either:

  • Print and mail the completed complaint and consent forms to: Centralized Case Management Operations U.S. Department of Health and Human Services 200 Independence Avenue, S.W. Room 515F HHH Bldg. Washington, D.C. 20201
  • Email the completed complaint and consent forms to OCRComplaint@hhs.gov (Please note that communication by unencrypted email presents a risk that personally identifiable information contained in such an email, may be intercepted by unauthorized third parties)

How to file a complaint without using our health information privacy complaint package

If you prefer, you may submit a written complaint in your own format by either:

  • Print and mail the completed complaint and consent forms to: Centralized Case Management Operations U.S. Department of Health and Human Services 200 Independence Avenue, S.W. Room 515F HHH Bldg. Washington, D.C. 20201 Or
  • Email to OCRComplaint@hhs.gov 

Be sure to include:

  • Your name
  • Full address
  • Telephone numbers (include area code)
  • E-mail address (if available)
  • Name, full address and telephone number of the person, agency, or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy or Security Rule
  • Brief description of what happened. How, why, and when do you believe your (or someone else’s) health information privacy rights were violated, or how the Privacy or Security Rule otherwise was violated
  • Any other relevant information
  • Your signature and date of complaint

If you are filing a complaint on someone’s behalf, also provide the name of the person on whose behalf you are filing. You may also include:

  • If you need special accommodations for us to communicate with you about this complaint
  • Contact information for someone who can help us reach you if we cannot reach you directly
  • If you have filed your complaint somewhere else and where you’ve filed

OCR does not investigate complaints filed without a name and contact information on the complaint. If you want OCR to keep your name and contact information confidential during the investigation, you may specify that on the consent form.

Oversight and responsibilities of the Federal Trade Commission (FTC) and how to file a complaint

The FTC’s mission is protecting the public from deceptive or unfair business practices and from unfair methods of competition through law enforcement, advocacy, research, and education.

Have a consumer complaint? You can report it:

  • Online: Complaint form
  • By phone (toll free): 877-FTC-HELP (382-4357) 9 a.m. to 8 p.m. Eastern Time Monday through Friday
  • By Mail: Consumer Response Center Federal Trade Commission 600 Pennsylvania Ave., NW Washington DC 20580