By law, health care providers (including doctors and hospitals) who engage in certain electronic transactions, health plans, and health care clearinghouses, (collectively, “covered entities”) had until April 14, 2003, to comply with the HIPAA Privacy Rule. (Small health plans had until April 14, 2004, to comply). OCR provides further information on its web site about how to file a complaint.
Activities occurring before April 14, 2003, are not subject to the Office for Civil Rights (OCR) enforcement actions.
After that date, a person who believes a covered entity is not complying with a requirement of the Privacy Rule may file with OCR a written complaint, either on paper or electronically.
This complaint must be filed within 180 days of when the complainant knew or should have known that the act had occurred.
The Secretary may waive this 180-day time limit if good cause is shown. See 45 CFR 160.306 and 164.534.
In addition, after the compliance dates above, individuals have a right to file a complaint directly with the covered entity. Individuals should refer to the covered entity’s notice of privacy practices for more information about how to file a complaint with the covered entity.