The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services is the primary office charged with protecting individual patients. OCR enforces federal laws that safeguard your health information privacy, prevent discrimination in healthcare settings, and give you legal rights over your own medical records.
What the Office for Civil Rights Does
OCR has two major areas of responsibility when it comes to individual patients. First, it enforces the HIPAA Privacy, Security, and Breach Notification Rules, which govern how hospitals, clinics, insurers, and their business partners handle your personal health information. Second, it enforces civil rights laws that prohibit discrimination in any health program receiving federal funding. If a healthcare provider violates your privacy or discriminates against you, OCR is the office that investigates and penalizes that behavior.
OCR also enforces Section 1557 of the Affordable Care Act, which prohibits healthcare organizations from excluding or discriminating against patients on the basis of race, color, national origin, sex, age, or disability. Healthcare providers covered by this law must post a written nondiscrimination policy and make it available to patients, enrollees, and the public.
Your Rights Under HIPAA
The HIPAA Privacy Rule gives you a set of enforceable legal rights over your health information. The most fundamental is the right to see and obtain copies of your medical records. You can request your records in any format, including electronic, and the provider must deliver them in that format if it’s readily producible. If not, you and the provider agree on an alternative readable format.
Providers must respond to your access request within 30 calendar days. If they need more time, they can take an additional 30 days, but only if they notify you in writing during that first window, explaining the delay and giving a specific completion date. The 30-day clock starts the moment your request is received, so any internal delays eat into that timeline.
These rights apply to all protected health information maintained by or for a covered entity, regardless of when it was created, whether it’s stored on paper or electronically, or where it originated. You can also direct a provider to send your records to a person or organization of your choosing.
Language Access and Disability Protections
OCR enforces requirements that healthcare providers communicate with you in a way you can understand. If you don’t speak English well, or have difficulty reading, writing, or understanding English, your provider must offer free language services such as an interpreter or translated documents. You are not required to bring your own interpreter, pay for one, or rely on a child or family member to translate.
If you have a disability, providers must offer free auxiliary aids and services to help you access information. These might include sign language interpreters, large-print materials, or accessible digital formats, depending on your needs.
How to File a Complaint
Anyone can file a complaint with OCR if they believe a healthcare provider, health plan, or business associate violated HIPAA rules or discriminated against them. Complaints must be filed within 180 days of when you became aware of the violation, though OCR can extend that deadline if you show good cause.
You have several options for filing. The fastest route is OCR’s online Complaint Portal, where you’ll select the type of complaint, provide details about what happened, identify the entity involved, and electronically sign a consent form. You can also submit a complaint by email to [email protected] or by mail to HHS Centralized Case Management Operations at 200 Independence Avenue S.W., Room 509F, Washington, D.C. 20201. Written complaints don’t need to follow a specific form, but they should include your contact information, the name and address of the entity you’re complaining about, and a description of what happened and when.
Penalties for Violations
OCR doesn’t just investigate complaints. It has real enforcement power. Civil penalties for HIPAA violations are structured in four tiers based on the level of negligence involved:
- Unknowing violations: $100 to $50,000 per violation, up to $25,000 annually for repeat violations
- Reasonable cause: $1,000 to $50,000 per violation, up to $100,000 annually
- Willful neglect, corrected in time: $10,000 to $50,000 per violation, up to $250,000 annually
- Willful neglect, not corrected: $50,000 per violation, up to $1.5 million annually
These penalties give OCR significant leverage. Healthcare organizations that ignore patient rights or fail to protect health data face financial consequences that scale with how careless or intentional the violation was.
Other HHS Offices Involved in Patient Protection
While OCR is the primary office protecting individual patient rights, two other HHS agencies play supporting roles. The Agency for Healthcare Research and Quality (AHRQ) focuses on patient safety rather than individual rights. Under the Patient Safety and Quality Improvement Act of 2005, AHRQ oversees Patient Safety Organizations that collect and analyze data from healthcare providers to reduce medical errors and adverse events. AHRQ’s work is systemic: it develops standardized reporting formats so safety data can be aggregated and studied across regions and institutions.
The Office of the National Coordinator for Health Information Technology (ONC) sets certification standards for electronic health record systems, ensuring they meet benchmarks for security, functionality, and interoperability. ONC works alongside OCR to develop privacy and security guidance for healthcare providers, particularly smaller practices that may lack dedicated IT resources. ONC also promotes meaningful patient consent in electronic health information exchange.
Neither AHRQ nor ONC handles individual complaints the way OCR does. If your personal rights as a patient have been violated, OCR is the office you contact.