Patient’s Guide to HIPAA – Basic Rights: F. Right to Complain to the Secretary of HHS (FAQ 46 – 50)



You are reading the Patient’s Guide to HIPAA, FAQ 46-50

HIPAA Guide Quick Links:


The HIPAA rule defines seven patient rights, one of them is a right to file a complaint about a HIPAA problem to the Secretary of the US Department of Health and Human Services (HHS). This page includes all FAQs explaining this right (FAQ 46-50.) 


F. Right to Complain to the Secretary of HHS (FAQ 46 – 50)


FAQ 46: Can I File a Federal Complaint about a HIPAA Problem?

Yes. Any person who believes that a covered entity is not complying with the HIPAA privacy rule may file a complaint with the Office of Civil Rights at the Department of Health and Human Services. You do not have to be a patient of a health care provider or a beneficiary of a health insurance plan to file a complaint. For example, if you visit a relative in the hospital and see a violation, you can file a complaint.

You can find information about the complaint process at There is a list of regional offices at including phone numbers. OCR wants you to file a complaint at the regional office for your state, and the website provides addresses and fax numbers. However, OCR doesn’t necessarily make it easy. There is no email address for each regional office. If you look hard enough through the OCR website, you will find that you can submit a complaint by email to An emailed complaint does not require a signature.

OCR has a complaint form that you can fill out at The complaint website has information in other language about how to file a complaint. You can use email to ask questions or need help. You can e-mail OCR at, but there’s no guarantee that you will get a response.

In recent years, OCR opened a large number of investigations in response to complaints from individuals and otherwise. The total number of investigations that found a violation of HIPAA privacy and security rules averaged 2000 a year for the last ten years. That is a lot of violations and a lot of activity by OCR. There’s a reasonable chance that a well-founded complaint will result in a review and change. Filing a complaint with OCR should be worthwhile.


FAQ 47: What Information Belongs in a Complaint?


The Office of Civil Rights at HHS wants a complaint to be signed and to include:

• Your name, full address, home and work telephone numbers, email address.

• If you are filing a complaint on someone’s behalf, provide the name of the person on whose behalf you are filing.

• Name, full address and phone of the person, agency or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy Rule.

• Briefly describe what happened. How, why, and when do believe your (or someone else’s) health information privacy rights were violated, or the Privacy Rule otherwise was violated?

• Any other relevant information.

• Your name and the date of the complaint.

Optional information that OCR requests includes:

• Do you need special accommodations for us to communicate with you about this complaint?

• If HHS cannot reach you directly, is there someone else to contact?

• Have you filed your complaint somewhere else?


FAQ 48: Will Filing a Complaint Really Help?

There’s now a reasonable chance that filing a complaint will produce a response and may lead to action. For a long time, enforcement of the Rule by the Office of Civil Rights was rare. In the last few years, OCR has become much more aggressive in enforcing the HIPAA privacy and security rules. Some of the penalties imposed on covered entities run in to the millions of dollars. If you file a complaint, it should receive appropriate attention. Remember, however, that the Privacy Rule complaint process is for HIPAA complaints. OCR receives and rejects many complaints because they are not about HIPAA matters.

We wouldn’t hesitate to file a complaint if we thought that a covered entity violated HIPAA. But we remind you that filing a complaint may have the effect of spreading your health information around more widely. Not all complaint investigations will involve disclosure of the intimate details of your medical history, but some may. It is for you to judge whether a complaint will invade your privacy more than you can tolerate. Nevertheless, if you are just trying to get a hospital to respond to your request for a copy of your record, the additional threat to privacy may be small and your complaint to OCR may help you get what you want.


FAQ 49: What Should I do if I See a Privacy Violation?

Now that the complaint process is working, filing a complaint with OCR has real potential to help. There is a real reason for the public to show interest in privacy laws and to use the process to protect individual rights guaranteed by law.

However, we think that the first step should be to complain directly to the covered entity that did something you think was wrong. Each covered entity has a privacy officer, and the name, address, and telephone number of the privacy officer should be included in the notice of privacy practices. Everyone makes mistakes, and everyone deserves the chance to make things right. It is also important for covered entities to know that people pay attention to privacy and that people care when privacy violations occur.

If the covered entity does not satisfy you, then you can look elsewhere. We don’t think that every minor violation should become a federal case. Our first choice is to complain locally about any violation. If you do not get satisfaction locally, then consider a complaint to OCR. Remember that filing a formal complaint may bring more attention to you and to your health record. You may want to be guarded about how much of your personal medical information you include in the complaint. In other words, the complaint process may further invade your privacy.

Here are some ideas if you want to pursue a federal complaint.

• Complain to OCR as described above.

• If you do complain to OCR, consider sending a copy of your complaint to your congressman or Senators. Ask them to write to the Secretary of HHS and report back about what happens to the complaint. When an elected official writes to an agency on behalf of a constituent, the constituent’s file gets a pink slip and that may get your complaint faster attention. The downside may be sharing your personal information more widely.

• You might be able to complain to a state official. Every state has a health department and an insurance department. If your complaint is about a health care provider, complain to the health department. If the complaint is about an insurer, complain to the insurance department.

• Health care providers hold licenses from state boards. If the violation is serious, see if the state licensing board accepts public complaints.

• If your problem is newsworthy and you are willing to make it public, you might look for a local reporter who covers health issues and who may be interested in your story. Remember that going public may just make the privacy violation worse, but it may get better results. A hospital may be very unhappy to see a news story that said it violated someone’s privacy or denied a patient rights guaranteed by law. A call from a reporter may produce a response that you couldn’t get on your own.

• Use the Web. You may find websites where you can post your story and the basics of your complaint. Posting a complaint about a health care provider may help others and may be satisfying all by itself. If you post information publicly, be sure that you are not revealing too much of your personal health information.

• Tell your friends and neighbors. A national insurance company may not care what you say. However, local providers and local hospitals care a lot. A bad reputation can result in the loss of clients and revenues.

• You may be able to file a lawsuit. HIPAA does not provide patients with the right to sue covered entities. However, other laws may allow you to sue. If the courts recognize that HIPAA establishes a standard of care, then it may be possible to sue for breach of contract, malpractice, violation of standards of professional conduct, or on other grounds to enforce HIPAA requirements. However, remember that lawsuits are not fun, take a long time, and can be expensive. Finding a lawyer willing to take a privacy case can be hard. Obtaining monetary damages can be highly uncertain. Lawsuits are remedies you should consider pursuing only after you tried other potential remedies and then only for major problems.


FAQ 50: Should I Worry that a Covered Entity will Retaliate if I File a Complaint?

Each covered entity’s notice of privacy practices must say that there will be no retaliation against a person who files a complaint. We would like to believe that.

But in the real world, there are no guarantees. We have seen, for example, a notice from a hospital that says – as required by the rule – that there will be no retaliation. The next sentence in the notice says more ominously that the hospital reserves the right “to take necessary and appropriate action to maintain an environment that serves the best interests of out patients and staff.” We have no idea what that means or why the hospital chose to add that statement directly after the required language about not taking retaliation. But it sure sounds like a threat to us.

We would be happier to see a privacy notice that included a statement to the effect that the hospital reserves the right to take additional actions to protect the privacy of its patients. However, hospital lawyers don’t like statements like that, lest they be interpreted to oblige the hospital to do more than the bare minimum.



Roadmap: Patient’s Guide to HIPPA: Part 2: Basic Patient Rights: F. Right to Complain to the Secretary of HHS (FAQ 46 – 50)

Jump to list of FAQs 1-65 | See all of Part 2