If you believe your medical information has been wrongfully used, disclosed or accessed, please refer to the information below to determine the appropriate authority to contact.
Reporting Incidents Involving Medical Facilities
The Department of Public Health Licensing and Certification Division is responsible for investigating reports of any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information involving any facility licensed under Division 2 pursuant to Sections 1204, 1250, 1725, or 1745 of the Health and Safety Code. Such facilities may include the following:
- Primary care clinics
- Community clinics
- Free clinics
- Specialty clinics
- Surgical clinics
- Chronic Dialysis clinics
- Rehabilitation clinics
- Alternative Birth centers
- General acute care hospitals
- Acute psychiatric hospitals
- Skilled nursing facilities
- Intermediate care facilities
- Special hospitals
- Congregate living health facilities
- Correctional treatment centers
- Home health agencies
- Mobile health care units
If you wish to report a medical information privacy or security incident as described above, please contact the appropriate Department of Public Health Licensing and Certification District Office. To find your nearest District Office, please visit http://www.cdph.ca.gov/certlic/facilities/Pages/LCDistrictOffices.aspx
When contacting the District Office please be prepared to identify a primary contact person familiar with the incident and provide his or her contact information.
Federal Office of Civil Rights (OCR)
Violation of the privacy of individually identifiable health information may also be a violation of HIPAA, the federal law that protects the privacy of such information. HIPAA is enforced by the federal government. To file a complaint for possible HIPAA violation, please contact:
Office for Civil Rights, U.S. Department of Health & Human Services
90 7th Street, Suite 4-100
San Francisco, CA 94103
Fax: (415) 437-8329
Reporting Incidents Involving Any Other Medical Provider, Business, Entity or Person
If you wish to report a medical privacy or security violation incident pertaining to any other type of medical provider, business, entity or person you will need to file a complaint with the District Attorney of the county in which the incident occurred. If more than one county is involved, you will need to file a complaint with the District Attorney in each county involved.
Please note that the California Office of Health Information Integrity (CalOHII) cannot address violation incidents not referred to CalOHII directly from the California Department of Public Health.