Anyone can file a health information privacy or security complaint. Your complaint must:
- Be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal.
- Name the covered entity or business associate involved, and describe the acts or omissions, you believed violated the requirements of the Privacy, Security, or Breach Notification Rules.
- Be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show "good cause".
HIPAA Prohibits Retaliation.
Under HIPAA an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.
- HITECH only applies to records requests from patients, when the request comes from the patient directly and is in writing.
- HITECH does apply when the patient requests that their medical records be sent to a designated representative.
- HITECH does not apply when an attorney requests the patient’s medical records.