HIPAA Privacy Rule FAQs


The HIPAA Privacy Rule provides federal protections for “individually identifiable health information” held by “covered entities” and their “business associates,” and gives patients privacy rights with respect to that information. The Privacy Rule permits the disclosure of health information needed for patient care, and other purposes.

What information is protected by HIPAA?

Individually identifiable health information is information that relates to an individual’s past, present or future physical or mental health or condition, the provision of health care to an individual, or payment for the provision of health care to an individual, and that identifies the specific individual or there is a reasonable basis to believe it can be used to identify the individual (such as Social Security Number, birth date, or address).

Who is covered under HIPAA?

A covered entity is a health plan, health care clearinghouse, and any health care provider. A business associate is a person or entity that performs functions on behalf of, or provides services to, a covered entity that involve access to protected health information.

Who can file a HIPAA Complaint?

Anyone can file a complaint alleging a violation of the Privacy Rules. If you believe that a covered entity or business associate violated your (or someone else’s) health information privacy rights, you may file a complaint with the U.S. Department of Health & Human Services, Office for Civil Rights (OCR).

When should a Complaint be filed?

The complaint must be filed within 180 days of when you found out about the act or omission you are complaining about.

How to file a complaint:

Your complaint must be in writing, and must name the covered entity or business associate involved and describe the acts or omissions you believe violated HIPAA’s provacy rules. You file your complaint electronically (https://ocrportal.hhs.gov/ocr/cp/wizard_cp.jsf), or you can file by mail, fax, or e-mail to OCRComplaint@hhs.gov.

What if the covered entity retaliates?

Under HIPAA an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.

What happens after a Complaint is filed?

OCR investigates complaints against covered entities and their business associates. If the evidence shows that the covered entity was not in compliance with HIPAA, OCR will attempt to resolve the case by obtaining voluntary compliance and/or corrective action. Sometimes OCR may impose fines on the covered entity. Complainants do not receive a portion of fines; the fines are deposited in the U.S. Treasury. OCR will communicate the results of their investigation to the person who filed the Complaint.

Need more information?

Visit the OCR website: http://www.hhs.gov/ocr/privacy/index.html