You Are Here > OCR > HIPAA > Compliance and Enforcement > What OCR Considers During Intake & Review of a Complaint

Compliance and Enforcement

What OCR Considers During Intake & Review of a Complaint

The Office for Civil Rights (OCR) is the agency within the U. S. Department of Health and Human Services that investigates complaints about failures to protect the privacy of health information. It does so under its authority to enforce the Privacy Rule.

OCR carefully reviews all complaints that it receives. Under the law, OCR only may take action on complaints that meet the following conditions.

The alleged action must have taken place after April 14, 2003. Compliance with the Privacy Rule was not required until April 14, 2003. Therefore, OCR can not investigate complaints about actions that took place before that date.
The complaint must be filed against an entity that is required by law to comply with the Privacy Rule. Not all organizations are covered by the Privacy Rule. Entities subject to the Privacy Rule are considered “covered entities.” Briefly, a covered entity is:

a health plan:
including but not limited to

health insurance companies,
company health plans; or

a health care provider that electronically transmits any health information in connection with certain financial and administrative transactions (such as electronically billing insurance carriers for services): including but not limited to

doctors,
clinics,
hospitals,
psychologists,
chiropractors,
nursing homes,
pharmacies, and
dentists; or

a health care clearinghouse.

Examples of organizations that are not required to comply with the Privacy Rule include

life insurers,
employers,
workers compensation carriers,
many schools and school districts,
many state agencies like child protective service agencies,
many law enforcement agencies,
many municipal offices

A complaint must allege an activity that, if proven true, would violate the Privacy Rule. For example, OCR generally could not investigate a complaint that alleged that a physician sent a person’s demographic information to an insurance company to obtain payment, because the Privacy Rule generally permits doctors to use and disclose such information to bill for their services.

Complaints must be filed within 180 days of when the person submitting the complaint knew or should have known about the alleged violation of the Privacy Rule. OCR may waive this time limit if it determines that the person submitting the complaint shows good cause for not submitting the complaint within the 180 day time frame (e.g., such as circumstances that made submitting the complaint within 180 days impossible).

OCR must know the identity of the person who filed the complaint, and have a way to contact that person, to investigate the complaint. If it cannot reach the person to discuss the case, OCR will close the case.

During an investigation, OCR often must reveal the name of the person who filed the complaint. For example, a person complains about being denied access to her medical record by her doctor. For OCR to find out what happened in this case, the OCR investigator would need to tell the doctor the name of the person who made the complaint. In these cases, OCR needs to first obtain that person’s written consent. If the person refuses to grant consent, OCR will close the complaint. OCR will not disclose the name of the person if it can investigate the complaint without doing so.

In some cases in which OCR cannot take enforcement action, it may be able to refer the matter to another agency that can respond to it, or provide suggestions to the complainant about other avenues to follow for resolution. In addition, many organizations may be subject to other federal or state laws requiring privacy protections that OCR does not enforce.

Last revised: April 14, 2007

The White House | USA.gov | Helping America's Youth