HIPAA requires that every covered entity have an internal process for receiving and evaluating complaints of HIPAA violations. Typically, such complaints will be the responsibility of the privacy office/officer designated by the organization.

Individuals who believe that a covered entity is not complying with HIPAA requirements may also file a complaint with the Secretary of the federal Department of Health and Human Services (DHHS). Currently the Office of Civil Rights (OCR) within DHHS has been designated to receive such complaints.

Complaints to DHHS must

• be filed in writing, either on paper or electronically;

• name the entity that is the subject of the complaint, and describe the acts or omissions believed to violate HIPAA regulations;

• be filed within 180 days of when the complainant knew, or reasonably should have known, that the act(s) or omission(s) occurred (though the Secretary may waive this time limit for "good cause").

The degree of investigation for each complaint is up to the Secretary (hence, up to OCR).

If an investigation pursuant to a complaint (or the results of a general compliance review) indicates organizational violations, the Secretary must notify the institution and any complainants in writing.

The regulations direct the Secretary to "attempt to resolve [problems] by informal means whenever possible." If informal resolution is not possible, the Secretary must issue formal, written findings, which presumably would raise the possibility of further investigation, and legal or financial sanctions.

A covered entity may not require individuals to waive their rights to file a complaint as a condition of the provision of treatment, payment, enrollment in a health plan or eligibility for benefits. Nor may it intimidate or retaliate against complainants, be they patients/customers or members of the workforce.

See also:

• 45 CFR 160.306, 45 CFR 160.312, 45 CFR 164.530(g),(h)
• whistleblowers (HIPAA)

Last modified: 11-May-2005 [RC]