Patient’s Guide to HIPAA – Basic Rights: What Should I do if I See a Privacy Violation?




You are reading the Patient’s Guide to HIPAA, FAQ 49

HIPAA Guide Quick Links:



FAQ 49: What Should I do if I See a Privacy Violation?

Now that the complaint process is working, filing a complaint with OCR has real potential to help. There is a real reason for the public to show interest in privacy laws and to use the process to protect individual rights guaranteed by law.

However, we think that the first step should be to complain directly to the covered entity that did something you think was wrong. Each covered entity has a privacy officer, and the name, address, and telephone number of the privacy officer should be included in the notice of privacy practices. Everyone makes mistakes, and everyone deserves the chance to make things right. It is also important for covered entities to know that people pay attention to privacy and that people care when privacy violations occur.

If the covered entity does not satisfy you, then you can look elsewhere. We don’t think that every minor violation should become a federal case. Our first choice is to complain locally about any violation. If you do not get satisfaction locally, then consider a complaint to OCR. Remember that filing a formal complaint may bring more attention to you and to your health record. You may want to be guarded about how much of your personal medical information you include in the complaint. In other words, the complaint process may further invade your privacy.

Here are some ideas if you want to pursue a federal complaint.

• Complain to OCR as described above.

• If you do complain to OCR, consider sending a copy of your complaint to your congressman or Senators. Ask them to write to the Secretary of HHS and report back about what happens to the complaint. When an elected official writes to an agency on behalf of a constituent, the constituent’s file gets a pink slip and that may get your complaint faster attention. The downside may be sharing your personal information more widely.

• You might be able to complain to a state official. Every state has a health department and an insurance department. If your complaint is about a health care provider, complain to the health department. If the complaint is about an insurer, complain to the insurance department.

• Health care providers hold licenses from state boards. If the violation is serious, see if the state licensing board accepts public complaints.

• If your problem is newsworthy and you are willing to make it public, you might look for a local reporter who covers health issues and who may be interested in your story. Remember that going public may just make the privacy violation worse, but it may get better results. A hospital may be very unhappy to see a news story that said it violated someone’s privacy or denied a patient rights guaranteed by law. A call from a reporter may produce a response that you couldn’t get on your own.

• Use the Web. You may find websites where you can post your story and the basics of your complaint. Posting a complaint about a health care provider may help others and may be satisfying all by itself. If you post information publicly, be sure that you are not revealing too much of your personal health information.

• Tell your friends and neighbors. A national insurance company may not care what you say. However, local providers and local hospitals care a lot. A bad reputation can result in the loss of clients and revenues.

• You may be able to file a lawsuit. HIPAA does not provide patients with the right to sue covered entities. However, other laws may allow you to sue. If the courts recognize that HIPAA establishes a standard of care, then it may be possible to sue for breach of contract, malpractice, violation of standards of professional conduct, or on other grounds to enforce HIPAA requirements. However, remember that lawsuits are not fun, take a long time, and can be expensive. Finding a lawyer willing to take a privacy case can be hard. Obtaining monetary damages can be highly uncertain. Lawsuits are remedies you should consider pursuing only after you tried other potential remedies and then only for major problems.



Roadmap: Patient’s Guide to HIPAA: Part 2: Basic Patient Rights: Right to Complain to the Secretary of HHS (FAQ 49 of 65)

Jump to list of FAQs 1-65 | See all of Part 2