The U.S. Department of Health and Human Services Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. Any person who believes that a covered entity or business associate is not complying with HIPAA may file a complaint with OCR (complaints may also be submitted directly to a covered entity). Here is a high-level overview of the OCR complaint process from intake and review through investigation and resolution:

Intake and Review. During this step, OCR reviews the complaint to determine whether it can or will take action. OCR may take action on a complaint if it meets the following conditions:

  • The activity took place after HIPAA’s effective dates: April 14, 2003 for violations of the Privacy Rule and April 20, 2005 for violations of the Security Rule;
  • The complaint is filed against an entity that is required to comply with HIPAA’s Privacy Rule and Security Rule;
  • The complaint alleges an activity that, if true, would be a violation of HIPAA’s Privacy Rule or Security Rule; and
  • The complaint is filed within 180 days of the date the person knew or should have known of the violation. OCR has discretion to waive this requirement for good cause.

If the complaint includes a possible criminal violation, OCR can report the complaint to the U.S. Department of Justice (DOJ) for review. If the DOJ declines the case, it can return the complaint to OCR for possible investigation.

Investigation. OCR will notify an individual if their complaint has been accepted. The named organization will also be notified. Both the organization and the complainant may be asked to provide information about the alleged incident which may include the circumstances surrounding the incident as well as the organization’s related policies, procedures and practices.

Resolution. After OCR reviews the information provided during the investigation, it may attempt to resolve the case by obtaining resolution in the form of voluntary compliance, corrective action, and/or a resolution agreement. OCR also has authority to impose civil monetary penalties (CMPs) on the entity allegedly responsible for the violation. Entities who may be facing CMPs may have additional rights, such as the right to a hearing before an administrative law judge to determine whether the penalties are supported by the evidence.

Approximately 62 percent of complaints filed with OCR since April 14, 2003 have been determined by OCR not to be eligible for enforcement. According to OCR’s website, some of the most frequently investigated compliance issues relate to improper use or disclosure of health information, lack of safeguards to protect health information, and lack of patient access to health information.