How to Report HIPAA Violations
Obtain the form package., Read through the form package., Provide identifying information., Provide information about the HIPAA violation., Provide optional information., Sign and date the form., Complete the Complainant Consent Form., Submit your...
Step-by-Step Guide
-
Step 1: Obtain the form package.
The Office for Civil Rights ("OCR") of the U.S.
Department of Health & Human Services provides an OCR Health Information Privacy Complaint Form Package on its website.You will use this form to report a HIPAA violation by downloading it, completing it, and then submitting it to the appropriate entity. -
Step 2: Read through the form package.
The form package consists of eight pages.Before you begin to fill out the form, you should take some time and read through the entirety of the form package.
You will use the first two pages to actually report the HIPAA violation.
The third and fourth pages comprise a consent form, which you can fill out to authorize OCR to access your personal information while the office investigates your complaint.
The last four pages provide information on what OCR can do with your personal information, how it will be protected, and when it can be disclosed. , The top half of the first page of the complaint form requires you to provide information such that OCR can identify who is reporting the HIPAA violation.
You will need to provide your name, phone number, street address, and e-mail address.If you are completing the form for someone else, check the relevant box and write in that person's name in the appropriate section. , On the second half of the first page, you will need to detail the who, when, and what of the alleged HIPAA violation.
You will need to provide the name and street address of the entity you believe committed the violation, and the date on which the violation occurred.You will then need to briefly describe how the named entity violated your (or someone else's) rights under HIPAA.
When describing the nature of the violation, you should be as specific as possible.
You don't need to use complex, legal language or reference the HIPAA statute itself.
Simply write down the sequence of events you believe led to the violation, and then provide as much detail as you can about the violation and how it has affected you.
If you need additional space than that provided, you can attach additional pages. , The second page of the complaint form is completely optional.This part of the form asks you to identify any special needs you might have that could affect communication with OCR, allows you to provide an additional contact if OCR cannot reach you directly to discuss your report, asks if you have filed your complaint anywhere else, and asks about race/ethnicity and how you heard about OCR.
Complete all, some, or none of this section as you wish. , On the bottom of the first page, there is a space to sign and date the form.You will need to do this before submitting it. , The third and fourth pages of the form package are a consent form that must be submitted along with the complaint form you just completed.Read through the form and decide if you wish to consent to OCR accessing and revealing your personal information to certain entities during the course of its investigation.
Then, check the appropriate box with regards to your consent decision, write in your address and telephone number, and sign and date the form.
Consent is entirely voluntary, but OCR warns that failure to provide consent can impede its investigation and ultimately close it., After you have completed both the complaint and consent forms (again, the first four pages of the form package), you have several options for submitting your complaint to OCR:
You can print out the completed forms and either mail or fax them to the appropriate regional OCR office (the OCR office in the region where the violation occurred).
OCR provides a list of contact information for its regional offices online.You can e-mail the completed forms to OCR at [email protected]. -
Step 3: Provide identifying information.
-
Step 4: Provide information about the HIPAA violation.
-
Step 5: Provide optional information.
-
Step 6: Sign and date the form.
-
Step 7: Complete the Complainant Consent Form.
-
Step 8: Submit your complaint.
Detailed Guide
The Office for Civil Rights ("OCR") of the U.S.
Department of Health & Human Services provides an OCR Health Information Privacy Complaint Form Package on its website.You will use this form to report a HIPAA violation by downloading it, completing it, and then submitting it to the appropriate entity.
The form package consists of eight pages.Before you begin to fill out the form, you should take some time and read through the entirety of the form package.
You will use the first two pages to actually report the HIPAA violation.
The third and fourth pages comprise a consent form, which you can fill out to authorize OCR to access your personal information while the office investigates your complaint.
The last four pages provide information on what OCR can do with your personal information, how it will be protected, and when it can be disclosed. , The top half of the first page of the complaint form requires you to provide information such that OCR can identify who is reporting the HIPAA violation.
You will need to provide your name, phone number, street address, and e-mail address.If you are completing the form for someone else, check the relevant box and write in that person's name in the appropriate section. , On the second half of the first page, you will need to detail the who, when, and what of the alleged HIPAA violation.
You will need to provide the name and street address of the entity you believe committed the violation, and the date on which the violation occurred.You will then need to briefly describe how the named entity violated your (or someone else's) rights under HIPAA.
When describing the nature of the violation, you should be as specific as possible.
You don't need to use complex, legal language or reference the HIPAA statute itself.
Simply write down the sequence of events you believe led to the violation, and then provide as much detail as you can about the violation and how it has affected you.
If you need additional space than that provided, you can attach additional pages. , The second page of the complaint form is completely optional.This part of the form asks you to identify any special needs you might have that could affect communication with OCR, allows you to provide an additional contact if OCR cannot reach you directly to discuss your report, asks if you have filed your complaint anywhere else, and asks about race/ethnicity and how you heard about OCR.
Complete all, some, or none of this section as you wish. , On the bottom of the first page, there is a space to sign and date the form.You will need to do this before submitting it. , The third and fourth pages of the form package are a consent form that must be submitted along with the complaint form you just completed.Read through the form and decide if you wish to consent to OCR accessing and revealing your personal information to certain entities during the course of its investigation.
Then, check the appropriate box with regards to your consent decision, write in your address and telephone number, and sign and date the form.
Consent is entirely voluntary, but OCR warns that failure to provide consent can impede its investigation and ultimately close it., After you have completed both the complaint and consent forms (again, the first four pages of the form package), you have several options for submitting your complaint to OCR:
You can print out the completed forms and either mail or fax them to the appropriate regional OCR office (the OCR office in the region where the violation occurred).
OCR provides a list of contact information for its regional offices online.You can e-mail the completed forms to OCR at [email protected].
About the Author
Virginia Martin
With a background in digital media and internet, Virginia Martin brings 14 years of hands-on experience to every article. Virginia believes in making complex topics accessible to everyone.
Rate This Guide
How helpful was this guide? Click to rate: