Can I File a HIPAA Complaint Online? Yes—How to Submit One to the HHS Office for Civil Rights

Overview of HIPAA Complaint Process

Yes—you can file HIPAA violation reporting online through the HHS Office for Civil Rights (OCR). The Office for Civil Rights complaint portal guides you step-by-step to report concerns about electronic health information privacy as well as Privacy, Security, and Breach Notification Rule issues.

Anyone may file: patients, personal representatives, caregivers, or workforce members. Generally, you should submit within 180 days of when you knew of the issue; if you’re late, explain any good cause for the delay. There is no fee to file, and retaliation for filing a complaint is prohibited.

• Gather facts and documents.
• Start your complaint in the OCR portal.
• Complete each screen, add attachments, and describe what happened.
• Provide an electronic signature and address the complaint consent form.
• Submit and keep your confirmation for records.

Preparing Information for Submission

Having complete, organized details helps OCR assess your complaint quickly. Before you begin, compile the essentials and decide whether you will authorize disclosure of your identity to the organization involved.

What to gather

• Your contact details and preferred method of communication.
• Names, addresses, and roles of the organizations involved (covered entity or business associate).
• Dates, locations, and a concise narrative of what occurred and how your rights were affected.
• Type of data involved (for example, diagnoses, lab results, billing details) if a protected health information breach is suspected.
• Any notices you received, screenshots, letters, or other supporting documents (redact unnecessary sensitive numbers).
• Whether the issue is ongoing and any steps already taken (e.g., contacting a privacy officer).
• If filing for someone else, proof of authority (e.g., parental status, healthcare proxy, power of attorney).

Tips for clarity

• Stick to facts: who, what, when, where, and how.
• List every organization involved—OCR can handle multiple respondents.
• Note harms or risks (identity theft, denied access, financial, or emotional impact).
• If you’re filing after 180 days, add a brief good-cause explanation.

Navigating the HHS OCR Complaint Portal

The portal uses a guided workflow. You’ll enter your information, identify the organization(s), describe the event, upload documents, and review before signing. Keep your documents handy so you can complete the form in one session.

Step-by-step walkthrough

1. Start a new complaint and select HIPAA as the basis.
2. Choose the issue type (privacy, security, or breach) affecting electronic health information privacy.
3. Enter your contact information and indicate if you’re filing for someone else.
4. Add the organization(s) you’re complaining about and describe your relationship to them.
5. Provide dates, a detailed narrative, and whether the situation is ongoing or resolved.
6. Attach relevant files that support your account.
7. Review everything, address the consent options, then electronically sign and submit.

Completing the Online Complaint Form

Complainant and respondent details

Provide your name, mailing address, phone, and email so OCR can contact you. Identify each organization (covered entity or business associate), including location and department if known.

Incident description

Write a clear, chronological account. Explain what happened, who was involved, when and where it occurred, and what rights you believe were violated. If it’s a protected health information breach, note what information was exposed and how you learned of it.

Evidence and attachments

• Upload letters, notices, screenshots, or communications that corroborate your account.
• Redact nonessential sensitive data (full SSNs, complete account numbers) before uploading.

Relief sought

State what you want to see happen—access to records, correction of practices, staff training, security improvements, or other corrective steps. Be specific and practical.

Electronic Signature and Consent Requirements

To submit, you will provide an electronic signature, typically by typing your full legal name and affirming the accuracy of your statements. This attestation allows OCR to process your complaint.

You will also see a complaint consent form. If you consent, OCR may share your complaint and identity with the organization during the investigation. If you decline, OCR may still review but could be limited in what it can investigate or resolve. Choose the option that matches your privacy needs and goals.

Post-Submission Procedures and Records

After you submit, you should receive an HHS complaint acknowledgement with a tracking or case number. Keep this for your records, along with a copy of your submission and any files you uploaded.

What happens next

• Intake review: OCR determines jurisdiction, timeliness, and whether your complaint alleges a potential HIPAA violation.
• Early steps: OCR may request more information or provide technical assistance to you or the organization.
• Investigation: If opened, OCR will gather facts from both sides and assess compliance.
• Communication: Watch for emails or letters and respond promptly to any requests or deadlines.

Recordkeeping and confidentiality

• Save all OCR correspondence and your case number.
• If you consented, OCR may share details with the organization; otherwise, OCR limits disclosures where possible.
• You can update contact information or submit additional documents by replying to OCR communications.

Understanding Complaint Outcomes

OCR can resolve matters in several ways under HIPAA enforcement procedures. Outcomes vary with the facts, evidence, cooperation, and corrective actions taken by the organization.

• No jurisdiction or insufficient information: OCR closes the matter or refers you elsewhere.
• Technical assistance: Guidance to the organization to fix issues without a formal investigation.
• Voluntary compliance or corrective action: Policies revised, staff retrained, access granted, or safeguards strengthened.
• Corrective action plan or resolution agreement: Formal commitments with monitoring.
• Monetary settlements or civil money penalties: Applied in more serious or systemic cases.
• No violation found or unable to substantiate: OCR closes the case.

HIPAA does not provide a private right of action for damages; OCR’s role is enforcement and corrective compliance. You may still have rights under other laws—consult an attorney if you need legal advice tailored to your situation.

Conclusion

You can file a HIPAA complaint online by preparing your facts, using the OCR portal, carefully completing the form, signing electronically, and deciding on the consent option that fits your goals. Keep your acknowledgement and respond quickly to OCR requests to support a timely, effective review.

FAQs.

How do I start a HIPAA complaint online?

Begin in the Office for Civil Rights complaint portal, select HIPAA as the basis, identify the organization, describe what happened, attach any evidence, address the consent option, and submit with an electronic signature. Keep the confirmation and case number.

What information is required for a HIPAA complaint?

You’ll need your contact details, the organization’s name and location, dates and a clear narrative of the event, the type of information involved, and any supporting documents. If you’re filing for someone else, include proof of your authority to act for that person.

Can I submit a complaint anonymously?

Provide your contact information so OCR can communicate about the case. If you do not want your identity shared with the organization, you can decline the complaint consent form; OCR may still review but might be limited in what it can investigate or resolve.

What happens after I file a HIPAA complaint online?

OCR sends an acknowledgement with a case number, screens your complaint for jurisdiction and timeliness, may request more information, and determines next steps. Possible outcomes include technical assistance, corrective actions, formal agreements, penalties, or closure if no violation is found.