The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was signed into law on August 21, 1996. Among this law’s many important protections for millions of working Americans and their families are requirements to protect the privacy of individual’s health information through rules which govern health care providers and entities that pay for health care or process health care information.  The HIPAA Privacy and Security Rules ensure a national floor of privacy and security protections for patients by limiting the ways that health plans, pharmacies, hospitals and other covered entities can use patients' personal medical information.  Starting in September 2009, HIPAA protections now include new rules against disclosure or protected health information including notification of individuals when the privacy of their information is breached.

You have privacy and security rights under a federal law that protects your health information. These rights are important for you to know. You can exercise these rights, ask questions about them, and file a complaint if you think your rights are being denied or your health information isn't being protected. You have privacy rights under a federal law that protects your health information. Additionally, you have the right to be notified of any breach that compromises the security or privacy of personal health information.

For more information on the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.


How to File a Health Information Privacy Complaint

If you believe that a person, agency or organization covered under the HIPAA Privacy Rule ("a covered entity" or a “business associate”) violated your (or someone else's ) health information privacy rights or committed another violation of the Privacy Rule, you may file a complaint either with the federal Office for Civil Rights (OCR), or the Connecticut Office of the Attorney General.  The Office of the Attorney General has authority to enforce HIPAA protections for Connecticut state residents.   OCR and the Office of the Attorney General have authority to receive and investigate complaints against covered entities and business associates related to the HIPAA Privacy Rule, Security Standards,  and the newly established Breach Notification Rule.   The recent changes to HIPAA also permit OCR or the Office of Attorney General to bring a lawsuit in federal court to enforce HIPAA protections.  A covered entity is a health plan, health care clearinghouse, and any health care provider who conducts certain health care transactions electronically.  A business associate is an entity that performs or assists in the execution of an activity involving protected health information or provides services for a covered entity.

To file a complaint with the federal Office of Civil Rights.

To file a complaint with the Office of the Attorney General, please fill out the form and send to Office of the Attorney General, 165 Capitol Avenue, Hartford, CT 06106.

[En Español]