Can a HIPAA Violation Be Filed? How to File a Complaint and What Happens Next

Determine Eligibility for Filing

Confirm you are within HIPAA’s scope

You can file if the conduct involves a HIPAA-covered entity (such as a health plan, most health care providers, or a health care clearinghouse) or a business associate that handles protected health information for them. Complaints about apps, employers, or other organizations that are not in a HIPAA relationship may fall outside OCR’s authority.

Identify the type of violation

• Privacy Rule violation: improper use or disclosure of protected health information (PHI), denial of timely access, or lack of minimum necessary controls.
• Security Rule breach: failure to implement required administrative, physical, or technical safeguards for electronic PHI.
• Breach Notification Rule: failure to provide required notices to affected individuals, the media (when applicable), or regulators after a breach.

Retaliation for filing a complaint is prohibited. You may file on your own behalf, for someone else with authorization, or as a witness.

Check timeliness

You generally must file within 180 days of when you knew—or should have known—about the potential violation. If you missed the deadline, explain the good cause; OCR can grant extensions in appropriate circumstances.

When HIPAA does not apply

Issues limited to customer service disputes, billing disagreements without a privacy or security component, or use of health data by non-HIPAA companies may not qualify. In such cases, OCR may refer you to another agency or provide alternative options.

Prepare a Written Complaint

Include essential facts

• Your name and contact information (or indicate if you wish to remain anonymous; note that anonymity can limit follow-up).
• The name, address, and role of the organization (covered entity or business associate).
• What happened, when, where, and who was involved—describe the Privacy Rule violation, Security Rule breach, or Breach Notification Rule concern.
• Any harm or risk you experienced and steps already taken (for example, contacting the provider).
• Supporting materials such as letters, emails, screenshots, notices, or policies.

Strengthen clarity and completeness

• Organize a concise timeline of events and keep copies of everything you submit.
• Use exact dates, locations, and systems affected (e.g., patient portal, EHR, email).
• Avoid including unnecessary sensitive data; provide only what is needed to explain the facts.

Submit Complaint Electronically or by Mail

Using the OCR complaint portal

The fastest method is the OCR complaint portal. You complete prompts about the parties involved, describe the incident, upload evidence, and electronically sign. You will receive confirmation after submission and may be asked for additional information.

Submitting by mail or email

You can print, sign, and mail or email a written complaint to the appropriate OCR regional office. Keep proof of mailing or delivery. If you need accommodations or language assistance, request them in your submission.

Review Process by OCR

Intake and triage

OCR confirms receipt, checks whether the entity is under HIPAA, and reviews timeliness. If the matter is outside jurisdiction or untimely without good cause, OCR may close the case or refer it elsewhere. For minor or first-time issues, OCR may provide technical assistance to the entity and to you.

Early resolution

OCR can seek prompt, informal steps from the entity to address the issue quickly—such as releasing records that were improperly withheld or correcting notices. If concerns persist or appear systemic, OCR proceeds to a formal investigation.

Investigation Procedures

Information gathering

OCR may request policies, risk analyses, training records, logs, breach assessments, and communications. It can interview workforce members, contractors, and witnesses, and review the entity’s past compliance history.

On-site work and technical review

For complex cases, OCR may conduct on-site visits, evaluate security controls, and assess how PHI flows through systems. For breaches, OCR reviews how the incident occurred, whether encryption or other safeguards were in place, and if notifications met regulatory timelines.

Your role during the investigation

You may be asked for clarifications or additional documents. OCR keeps your information as confidential as possible, but it may share necessary details with the entity to advance the investigation. OCR represents the public interest; it does not act as your private attorney.

Expected timelines

Intake reviews can resolve in weeks. Full investigations often take several months; intricate cases or those involving multiple entities can extend longer, especially if parallel law enforcement or litigation is underway.

Resolution Outcomes

Voluntary compliance and corrective action plan

Many cases end with voluntary compliance or a corrective action plan requiring policy updates, staff training, additional safeguards, and periodic reporting to OCR. These measures aim to prevent recurrence and verify sustained compliance.

Settlements and civil monetary penalties

When warranted, OCR may enter into a settlement agreement or impose civil monetary penalties. Factors include the severity and duration of noncompliance, harm, number of individuals affected, willful neglect, and the entity’s cooperation and corrective efforts.

Closure without violation

OCR may close the case if evidence does not support a violation, if the issue was adequately resolved, or if the matter is better addressed by another authority. You are typically informed of the closure reason.

What you receive

You receive a closure letter summarizing the outcome. HIPAA does not provide a private right to monetary damages; OCR’s focus is on organizational compliance, not individual compensation.

Jurisdiction Limitations

Common limits

• Non-HIPAA entities: employers, certain wellness apps, schools (in many instances), or life insurers acting outside HIPAA relationships.
• Employment records: HIPAA does not cover an employer’s personnel files, even for health-related information.
• Pure quality or billing disputes: unless they involve PHI misuse or access rights, these are typically outside HIPAA.

Alternative paths

• State attorneys general may enforce HIPAA and state privacy laws.
• Professional licensing boards can handle provider conduct issues.
• Other regulators (for example, consumer protection authorities) may address non-HIPAA privacy concerns.

Key takeaways

• File within 180 days when possible, and clearly link facts to a HIPAA rule.
• Use the OCR complaint portal or mail; include detailed, well-organized evidence.
• Outcomes range from technical assistance to corrective action plans, settlements, or civil monetary penalties.
• If HIPAA does not apply, consider state or other regulatory avenues.

FAQs

How do I know if my complaint is eligible under HIPAA?

Confirm that the organization is a HIPAA-covered entity or its business associate and that your concern involves PHI. Then match the conduct to a HIPAA rule—for example, a Privacy Rule violation (improper disclosure or denial of access), a Security Rule breach (missing safeguards), or a Breach Notification Rule failure (no timely notice). Finally, ensure you are within the 180-day filing period or explain good cause for delay.

What information is required in a HIPAA complaint?

Provide your contact information; the entity’s name and role; a clear description of what happened with dates, locations, and people involved; which HIPAA rule you believe was violated; and any supporting evidence. If you submit through the OCR complaint portal, upload documents and e‑sign; for mail submissions, sign and keep proof of delivery.

How long does the OCR investigation take?

Intake and early resolution can occur in a few weeks for straightforward matters, but full investigations commonly take several months. Complex, multi-party, or security-heavy cases can extend longer, especially if OCR coordinates with other authorities.

Can I file a complaint against an individual workforce member?

You typically file against the organization, not the individual. OCR enforces HIPAA against covered entities and business associates; those entities are responsible for their workforce. If an individual’s conduct appears criminal, OCR may refer the matter to law enforcement while pursuing organizational compliance.