If you believe your medical information has been wrongfully used, disclosed, please refer to the information below to find out who to contact.
Reporting Incidents Involving Certain Medical Facilities
The California Department of Public Health (CDPH) licenses certain types of medical facilities, and they investigate complaints or reports of privacy breaches of medical information at these facilities. This includes the following facilities:
- General acute care hospitals
- Primary care clinics
- Community clinics
- Free clinics
- Skilled nursing facilities
- Home health agencies
- Acute psychiatric hospitals
- Special hospitals
- Specialty clinics
- Surgical clinics
- Chronic Dialysis clinics
- Rehabilitation clinics
- Alternative Birth centers
- Intermediate care facilities
- Congregate living health facilities
- Correctional treatment centers
- Mobile health care units
If you wish to report a medical information privacy breach, please contact the appropriate CDPH District Office. Each District Office serves a specific geographic area. To find District Office that serves the area where your privacy breach occurred, please go to their website at http://www.cdph.ca.gov/certlic/facilities/Pages/LCDistrictOffices.aspx.
When contacting the District Office please be prepared to identify a primary contact person familiar with the incident and provide his or her contact information.
Federal Office for Civil Rights (OCR)
Violation of the privacy of your medical information may also be a violation of HIPAA, the federal law that protects the privacy of such information. HIPAA is enforced by the federal government. To file a complaint for possible HIPAA violation, please contact:
Office for Civil Rights, DHHS
90 7th Street, Suite 4-100
San Francisco, CA 94103
Phone: (415) 437-8310
Fax: (415) 437-8329
This website has valuable information for filing a complaint, including the time frame within which a complaint must be filed, the requirement that it be filed in writing and a link to OCR’s complaint form.
Reporting Incidents Involving Other Medical Provider not Licensed by CDPH, or Involving any Other Business, Entity or Person
If you wish to report a medical privacy or security violation incident pertaining to any type of medical provider not licensed by CDPH (any type of provider other than those listed above), or to any other business, entity or person you will need to file a complaint with the District Attorney of the county in which the incident occurred. If more than one county is involved, you will need to file a complaint with the District Attorney in each county involved. Please be aware that District Attorneys tend to give priority to cases involving felonies or misdemeanors, and violations of California law in health information privacy generally are not felonies or misdemeanors. Therefore, it is not certain when a District Attorney’s office will address your complaint or what priority your complaint will receive.
Please note that the California Office of Health Information Integrity (CalOHII) cannot address violation incidents not referred to CalOHII directly from the CDPH.