45 CFR 160.306 Complaints: How to File a HIPAA Complaint with HHS OCR

Filing a HIPAA Complaint

Under 45 CFR 160.306, you have the right to ask the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) to investigate if you believe a Covered Entity or Business Associate violated HIPAA. This includes concerns under the HIPAA Privacy Rule, Security Rule, or Breach Notification Rule.

Your complaint alerts OCR to possible noncompliance and can lead to corrective action that protects you and others. The process is free, straightforward, and designed to ensure your concerns are reviewed fairly.

Quick steps

• Confirm the organization is a Covered Entity or Business Associate subject to HIPAA.
• Act before the Complaint Submission Deadline (generally 180 days from when you knew of the issue).
• Gather facts, dates, and any supporting documents.
• Choose a filing method (OCR Complaint Portal or mail/fax/email to OCR).
• Submit your complaint and keep a copy of what you sent.

Complaint Requirements

Who can file and what qualifies

• Anyone may file if they believe a HIPAA violation occurred by a Covered Entity or Business Associate.
• You may file on your own behalf or for someone else as an authorized personal representative.
• The issue must relate to HIPAA requirements (for example, an improper disclosure under the HIPAA Privacy Rule).

Complaint Submission Deadline

• File within 180 days of when you knew or should have known of the violation.
• OCR may extend the deadline if you show good cause (for example, illness or delayed discovery).

Form and content

• Submit in writing (including electronically). Clearly identify the organization and describe what happened and when.
• Include your contact information unless you choose to file anonymously (see FAQs for considerations).
• If filing for someone else, state your relationship and authority to act.

Filing Methods

Online submission

The OCR Complaint Portal is the fastest way to file and receive confirmation. You complete guided questions, upload documents, and submit electronically.

Mail, fax, or email

You can also send a signed letter or OCR’s complaint form by mail, fax, or email to the appropriate OCR regional office. Provide all required details and copies (not originals) of supporting materials.

Accessibility and representation

• OCR offers language assistance and disability accommodations on request.
• You may have an attorney or other representative submit or manage the complaint for you.

Information Needed

Core details to include

• Your name and contact information (unless filing anonymously).
• The name, role, and contact information of the Covered Entity or Business Associate.
• A clear description of what happened, the dates, and where it occurred.
• Which HIPAA requirement you believe was violated (for example, HIPAA Privacy Rule minimum necessary standard or unauthorized disclosure).
• Whether the issue is ongoing and any steps already taken to resolve it.

Helpful supporting materials

• Relevant correspondence, notices, screenshots, or policy excerpts.
• Names of people involved and potential witnesses.
• Authorization or proof of representation if you file for someone else.

Retaliation Prohibition

HIPAA bars retaliation for filing a complaint, participating in an OCR investigation, or opposing conduct you reasonably believe violates HIPAA. This Retaliation Prohibition applies to Covered Entities and Business Associates.

If you experience threats, intimidation, termination, or other adverse actions because of your complaint, document it and inform OCR. Retaliation itself can constitute a separate HIPAA violation.

Investigation Process

What OCR does after you file

• Intake and jurisdiction check: OCR confirms the complaint is timely, relates to HIPAA, and identifies a regulated entity.
• Early resolution: In some matters, OCR may resolve through technical assistance or voluntary steps by the entity.
• Formal investigation: OCR may request records, interview witnesses, and assess policies, safeguards, and practices.

Possible Investigation Outcome

• No violation found: OCR closes the matter with an explanation.
• Voluntary compliance or corrective action plan: The entity agrees to fix deficiencies and may be monitored.
• Civil monetary penalties: If the entity fails to comply, OCR may impose penalties; serious matters can be referred for enforcement.

OCR will notify you of the resolution stage it can share. Timelines vary based on complexity, cooperation, and the volume of complaints.

Additional Resources

• Regulatory text: 45 CFR 160.306 (complaints to the Secretary) and 45 CFR 160.316 (refraining from intimidation or retaliation).
• Rule overviews: HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
• Practical tools: OCR Complaint Portal guidance and the complaint form instructions.
• Entity scope: How to determine whether an organization is a Covered Entity or Business Associate.

FAQs

How do I file a HIPAA complaint with OCR?

Submit your concerns in writing to HHS OCR. The OCR Complaint Portal is the fastest option; you can also mail, fax, or email a signed complaint to an OCR regional office. Provide the entity’s name, what happened, when it occurred, and your contact information, and file within 180 days when possible.

What information is required for a HIPAA complaint?

List your name and contact information; the Covered Entity or Business Associate; dates and facts; which HIPAA requirement you believe was violated (for example, HIPAA Privacy Rule); and any supporting documents. If filing for someone else, include proof you are authorized to act.

What is the deadline for filing a HIPAA complaint?

The general Complaint Submission Deadline is 180 days from when you knew or should have known of the possible violation. OCR may grant an extension if you show good cause for filing late.

Can I file a complaint anonymously?

Yes, you may file without providing your name. However, if OCR cannot contact you, it may be harder to investigate and you will not receive updates. You can request confidentiality, but some information may need to be shared with the entity to investigate.

How does OCR handle retaliation complaints?

OCR treats retaliation as a separate HIPAA concern under the Retaliation Prohibition. Include details about the adverse action, dates, and any evidence. If substantiated, OCR can require corrective action and, when appropriate, impose penalties.

In summary, 45 CFR 160.306 gives you a clear path to report HIPAA concerns to HHS OCR. File promptly, include specific facts, use the OCR Complaint Portal or other permitted methods, and remember that retaliation is prohibited. These steps help OCR investigate effectively and drive compliance improvements.