A patient can document the incident, request copies of relevant records and disclosures, submit a complaint to the organization’s designated privacy contact, and file a complaint with the HHS Office for Civil Rights, and the patient may also report concerns to a state attorney general or other state regulator when state privacy or consumer protection laws may apply. These actions apply to suspected improper uses or disclosures of protected health information, failures to provide required access to records, failures to apply safeguards required by the HIPAA Security Rule, or failures to provide required notifications under the HIPAA Breach Notification Rule.
A patient can start by gathering facts that support a complaint such as dates, names, locations, copies of correspondence, screenshots of portal messages, and a short description of what occurred. If the concern involves access to records, a patient can submit a written request for access and keep proof of submission and delivery. If the concern involves accuracy, a patient can submit a request for amendment and retain the response. If the concern involves disclosure tracking, a patient can request an accounting of disclosures when applicable under the HIPAA Privacy Rule and retain the response.
A patient can submit a complaint to the healthcare provider, health plan, or other regulated organization through the privacy officer process or the organization’s complaint channel. The complaint can specify what information was involved, how it was used or disclosed, who received it if known, what corrective action the patient is requesting, and a preferred method of response. The HIPAA Privacy Rule restricts retaliation for filing a complaint or exercising HIPAA rights, and the patient can document any adverse actions that appear linked to the complaint.
A patient can also file a complaint with the HHS Office for Civil Rights, which enforces the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule. OCR complaints are typically subject to a time limit measured from when the patient knew or should have known of the act or omission, with an option to request a waiver for good cause. If the facts indicate identity misuse, a patient can take separate steps outside HIPAA such as placing a fraud alert or security freeze and reporting suspected identity theft through the channels required by consumer protection law, while continuing the HIPAA complaint process for the underlying improper use or disclosure.