HIPAA Covered Entities, Office For Civil Rights, and the Federal Trade Commission

HIPAA

HIPAA-covered entities include healthcare providers, health plans, healthcare clearinghouses, and their business associates who handle protected health information (PHI). These organizations are required to follow HIPAA’s privacy and security rules. However, certain entities such as mobile apps, wearable fitness devices, or non-health-related companies that handle consumer data may not be covered by HIPAA.

The Office for Civil Rights (OCR) is responsible for enforcing HIPAA regulations, ensuring that covered entities protect the privacy and security of health information. Meanwhile, the Federal Trade Commission (FTC) oversees the privacy practices of organizations that are not subject to HIPAA but still manage consumer health data, particularly under the FTC Act.

If you believe your health information has been compromised by a HIPAA-covered entity, you can file a complaint with OCR:

  1. Visit the OCR Complaint Portal at https://ocrportal.hhs.gov.
  2. Complete the required fields, including your contact information and details about the entity involved.
  3. Submit the complaint online, or download and mail it to: Office for Civil Rights Centralized Case Management Operations U.S. Department of Health and Human Services 200 Independence Avenue, S.W. Room 509F, HHH Building Washington, D.C. 20201.

For non-HIPAA-covered entities, such as apps or companies handling consumer data, you can file a complaint with the FTC:

  1. Visit the FTC Complaint Assistant at https://reportfraud.ftc.gov.
  2. Follow the prompts to select the type of complaint.
  3. Provide details of the issue and submit the form electronically.

Both agencies investigate complaints to ensure privacy and security laws are upheld, and provide resources for individuals concerned about their personal health data.

¿Habla español? Haga clic aquí.