Note: First, try to remedy the situation with your local VA Medical Center (VAMC) or other medical facility privacy officer. The privacy officer will conduct an investigation into your allegation, take appropriate action and notify you. If you are unsatisfied or your complaint goes unanswered, file your complaint with the HHS.
Please visit the Department of Health and Human Services website, www.hhs.gov, or https://www.hhs.gov/hipaa/filing-a-complaint/index.html to file your complaint. It is a simple form and allows you to upload supporting documents. You have several filing method options.
The HHS website has important information regarding your HIPAA/Privacy rights and what is expected of your treatment facilities Security Rule.
Click on Security Rule vs Privacy Rule for an explanation.
NOTE: The Security Rule applies only to EPHI, while the Privacy Rule applies to PHI which may be in electronic, oral, and paper form.
NOTE: OCR within HHS oversees and enforces the Privacy Rule, while CMS oversees and enforces all other Administrative Simplification requirements, including the Security Rule.