If you believe your medical records have been falsified, you can report it to several federal and state agencies depending on the nature of the falsification. The right agency depends on whether the records were altered to commit billing fraud, to cover up a medical error, or to misrepresent your health information. In most cases, you’ll want to file with more than one.
Determine What Type of Falsification Occurred
Not every error in a medical record is falsification. A misspelled name, a wrong date, or a misrecorded blood pressure reading can be a clerical mistake. What separates falsification from error is intent. Under federal law (18 U.S.C. § 1035), medical record fraud requires that someone “knowingly and willfully” falsified, concealed, or covered up a material fact, or made materially false statements in connection with healthcare delivery or payment. The word “material” matters here: the false information has to be significant enough to affect your care, your insurance, or a legal proceeding.
Common forms of intentional falsification include adding treatments or diagnoses that never happened (often to inflate insurance billing), deleting or altering notes to cover up a medical error, backdating entries, copying and pasting notes from other patients, or changing records after a malpractice complaint. If you’re seeing something that looks like a simple typo, start with a records amendment request before escalating to a formal complaint.
Request Your Full Medical Records First
Before filing a report with any agency, get a complete copy of your medical records from the provider. Under HIPAA, you have a legal right to access your health information, and the provider must respond to your request. Having your own copy creates a baseline. If you already have earlier versions of documents, such as visit summaries, discharge papers, or after-visit notes sent through a patient portal, compare them against the official record. Discrepancies between what you received at the time of care and what appears in the record later can be strong evidence of tampering.
If your records are stored electronically, the system maintains an audit trail that logs every change, including who made it and when. You can request access to this audit trail as part of your records. Providers sometimes push back on this, but the audit log is part of your designated record set if it was used to make decisions about your care.
Request a Formal Amendment
HIPAA gives you the right to request an amendment to your medical records when they contain inaccurate information. This is a formal, written process. Submit your amendment request in writing to the provider or facility’s privacy officer, specifying exactly which entries are wrong and why.
The provider has 60 days to respond, with a possible 30-day extension. They can accept your amendment or deny it. If they deny it, they must explain why in writing. You then have the right to file a “statement of disagreement” that gets attached to your record permanently. Every time that record is shared going forward, your statement of disagreement must go with it. This doesn’t fix the falsification, but it creates a documented paper trail showing you disputed the record’s accuracy, which strengthens any future complaint or legal claim.
File a HIPAA Complaint With HHS
If the falsification involves a violation of your health information privacy rights, or if a provider refuses to process your amendment request properly, file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). OCR enforces HIPAA’s privacy and security rules.
You can file online through the OCR Complaint Portal at ocrportal.hhs.gov. The portal walks you through a series of questions about the nature of your complaint. Select “Violation of Privacy or Security of Health Information” as the complaint type. If you need help, you can call OCR toll-free at 1-800-368-1019 or email [email protected]. Include copies of your records, your amendment request, the provider’s response (if any), and any documentation showing the discrepancies you identified.
Report Billing-Related Falsification to the FBI and OIG
When records have been altered to support fraudulent insurance billing, this becomes a federal fraud issue. Two agencies handle these reports.
The FBI investigates healthcare fraud of all sizes. File a complaint through the Internet Crime Complaint Center at ic3.gov. The FBI asks you to include as much of the following as possible: the provider’s name and any license or National Provider Identifier numbers, relevant dates of service or claims, a description of the services billed and the dollar amounts, whether you actually received those services, your insurance carrier, and the location of all parties involved. Attach copies of explanation-of-benefits statements, invoices, or any communications with the provider. Keep all original documentation.
The HHS Office of Inspector General (OIG) pursues civil and criminal penalties against providers who submit false claims. Penalties are steep: fines can reach three times the program’s financial loss plus $11,000 per false claim filed, and civil monetary penalties range from $10,000 to $50,000 per violation. Physicians have been imprisoned for submitting fraudulent healthcare claims. You can report fraud to the OIG through their hotline at 1-800-HHS-TIPS or online at oig.hhs.gov.
Report to Your State Medical Board
State medical boards license and discipline physicians, and falsifying records falls squarely within their authority. The Federation of State Medical Boards notes that “inadequate record keeping” and dishonesty are recognized forms of unprofessional conduct, and boards investigate complaints from patients, other providers, hospitals, and government agencies.
Every state has its own board with its own complaint form, usually available on the board’s website. Search for “[your state] medical board complaint” to find the right portal. Your complaint should describe the specific entries you believe were falsified, include copies of the records showing discrepancies, and explain how you discovered the problem. Boards can suspend or revoke a physician’s license, issue fines, or require supervised practice. If the provider is a nurse, pharmacist, or other licensed professional rather than a physician, file with the corresponding licensing board for that profession in your state.
Protections for Healthcare Workers Who Report
If you work in healthcare and witnessed or discovered record falsification by a colleague or employer, federal law offers protections. The False Claims Act allows private individuals to file “qui tam” lawsuits on behalf of the government against entities that have defrauded federal healthcare programs like Medicare or Medicaid. If the government recovers money as a result, whistleblowers can receive a percentage of the recovery. The False Claims Act also prohibits employers from retaliating against employees who report fraud, meaning you cannot legally be fired, demoted, or harassed for making a report.
Healthcare workers considering a whistleblower claim should consult an attorney who specializes in qui tam cases before filing, since the process has specific procedural requirements, including filing the lawsuit under seal so the government can investigate before the case becomes public.
Keep Track of Deadlines
Time limits apply to every reporting channel. For federal civil claims involving Medicare or Medicaid fraud, the statute of limitations is six years. For federal criminal prosecution, it’s five years. State deadlines vary and are often shorter. Some states set a three-year civil limitation for healthcare fraud, with the clock starting when you become aware the falsification occurred rather than when it actually happened.
HIPAA complaints to OCR should be filed as soon as possible. While OCR doesn’t publish a hard cutoff for all complaint types, delays weaken your case and may limit the agency’s ability to investigate. The strongest position is to file within 180 days of discovering the problem.
Document Everything You Can
Across all reporting channels, the strength of your complaint depends on your documentation. Save copies of every version of your medical records you can obtain, including patient portal printouts, after-visit summaries, and discharge instructions. Screenshot any online records before they can be altered further. Keep a timeline of your interactions with the provider, including dates of visits, names of staff, and what was communicated. Save all emails, letters, and voicemails. If you discussed concerns with the provider’s office and they responded verbally, write down what was said and when, as close to the conversation as possible.
Filing with multiple agencies simultaneously is both legal and common. The FBI complaint form even asks whether you’ve reported the issue to any other agency. Each organization investigates from a different angle: OCR focuses on your privacy rights, the OIG and FBI focus on fraud, and the state medical board focuses on professional conduct. Reporting to all relevant channels gives your complaint the best chance of resulting in action.