Complaint Requirements.

Anyone can file a health information privacy or security complaint. Your complaint must:

  • Be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal.
  • Name the covered entity or business associate involved, and describe the acts or omissions, you believed violated the requirements of the Privacy, Security, or Breach Notification Rules.
  • Be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show "good cause".

HIPAA Prohibits Retaliation.

Under HIPAA an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.

Key Principles.

  • HITECH only applies to records requests from patients, when the request comes from the patient directly and is in writing.
  • HITECH does apply when the patient requests that their medical records be sent to a designated representative.
  • HITECH does not apply when an attorney requests the patient’s medical records.