Anyone can file a health information privacy or security complaint. Your complaint must:
Be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal
Name the covered entity or business associate involved, and describe the acts or omissions, you believed violated the requirements of the Privacy, Security, or Breach
Notification Rules
Be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show "good cause"
GDPR will only occasionally and coincidentally (if at all) be relevant to health data held by US health care providers and their business associates, whereas HIPAA will always be relevant.
That has no effect on the central theme of the story (which is health care firms partnering with Google as a Business Associate, and thereby sharing patient data).
Complaint Requirements
Anyone can file a health information privacy or security complaint. Your complaint must:
Be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal
Name the covered entity or business associate involved, and describe the acts or omissions, you believed violated the requirements of the Privacy, Security, or Breach Notification Rules
Be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show "good cause"