Can I File a HIPAA Complaint? What Qualifies and How to Submit One

If you believe your health information privacy rights were violated, you can file a HIPAA complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). This guide explains who can file, which organizations are covered, how to submit, what you must include, and what to expect after submission.

Use it to confirm complaint jurisdiction, avoid common mistakes, and understand how OCR investigates, resolves violations through voluntary compliance or corrective action, and when civil money penalties may apply.

Eligibility to File a Complaint

Any person or organization may file a HIPAA complaint. That includes you as a patient, a patient’s personal representative (such as a parent, legal guardian, or executor), or a workforce member who witnessed a potential violation. You do not need to be a U.S. citizen to file.

Your complaint qualifies when it alleges a violation of HIPAA’s Privacy, Security, or Breach Notification Rules affecting protected health information (PHI). Common examples include unauthorized use or disclosure of PHI, denial of your right of access, inadequate safeguards for electronic PHI, failure to provide a notice of privacy practices, or lack of timely breach notification.

You generally must file within 180 days of when you knew the violation occurred; OCR may extend this deadline if you show good cause for the delay. If your concern does not involve PHI or the respondent is not subject to HIPAA, OCR may dismiss for lack of complaint jurisdiction or refer you elsewhere.

Covered Entities Subject to HIPAA

HIPAA applies to three types of HIPAA-covered entities: health plans (for example, insurers and employer group health plans), health care clearinghouses, and health care providers that conduct standard electronic transactions (such as billing). These organizations must safeguard PHI and honor your health information privacy rights.

Business associates—vendors and contractors that create, receive, maintain, or transmit PHI for a covered entity—are also subject to HIPAA. Examples include billing services, cloud or IT providers, EHR vendors, legal or accounting firms handling PHI, and their subcontractors.

Not every organization that touches health-related data is covered. For instance, employers acting in their role as employers, many mobile apps or wearables used directly by consumers, life insurers, and schools governed by FERPA may fall outside HIPAA. OCR evaluates coverage case by case, including hybrid entities where only designated health components are subject to HIPAA.

Methods to File a HIPAA Complaint

Online (fastest)

Submit through OCR’s online complaint system. You’ll answer guided questions, upload supporting documents, sign electronically, and receive confirmation. Online filing helps OCR route your complaint quickly to the correct regional office.

Mail or Email

You may mail or email a completed complaint form to the appropriate OCR regional office. Keep copies of everything you send. If you need an alternative format or language assistance, you can request accommodations.

Optional: Complain to the Entity

You can also complain directly to the HIPAA-covered entity’s privacy officer. This is not required to file with OCR, but it may lead to faster local resolution while OCR reviews your submission.

Complaint Submission Requirements

Provide enough detail for OCR to assess complaint jurisdiction and the alleged HIPAA violation. Include:

• Your name and contact information (or your authorized representative’s), and a request for confidentiality if you want OCR to avoid disclosing your identity to the entity when possible.
• The name of each HIPAA-covered entity or business associate involved, with addresses and points of contact if known.
• A clear, chronological description of what happened, when it happened, and how it affected your PHI or health information privacy rights.
• What HIPAA right you believe was violated (for example, right of access, unauthorized disclosure, inadequate safeguards).
• Relevant documents or screenshots, such as letters, emails, denial notices, or breach notifications.
• Your signature or electronic signature attesting that the information is true; if filing for someone else, include proof of authority (for example, power of attorney, guardianship, or estate documentation).

Deadlines matter: file within 180 days of when you knew about the violation. If you miss the deadline, explain the good cause for the delay so OCR can consider an extension.

Post-Complaint Process

OCR acknowledges receipt and conducts an intake review for timeliness, coverage, and complaint jurisdiction. If the issue falls outside HIPAA or OCR’s authority, the matter may be closed or referred to another agency.

When OCR opens a case, it typically contacts the entity for a response and may request additional information from you. Some matters are resolved early through technical assistance or voluntary compliance, where the entity promptly fixes the issue and implements safeguards.

Possible outcomes include: no violation found; closure with technical assistance; voluntary compliance with documented corrective steps; a corrective action plan with monitoring; or enforcement actions that can include civil money penalties for serious or uncorrected violations. OCR does not award personal monetary damages to complainants.

OCR Investigation Procedures

During an investigation, OCR notifies the entity, defines the scope, and requests records such as policies, risk analyses, training logs, access logs, system configurations, and incident reports. OCR may conduct interviews, review data remotely, or perform onsite visits.

Findings are based on the evidence and the HIPAA rules. When violations are identified, OCR seeks voluntary compliance or imposes corrective action with deadlines and proof of implementation. In cases involving willful neglect or failure to cooperate, OCR may assess civil money penalties. Criminal matters can be referred to the Department of Justice.

Factors that influence outcomes include the nature and extent of the violation, harm to individuals, the entity’s size and compliance history, remedial efforts, and cooperation with OCR’s process.

Anti-Retaliation Protections

HIPAA prohibits covered entities and business associates from retaliating against you for filing a complaint, participating in an investigation, or exercising your HIPAA rights. Intimidation, threats, denial of services, adverse employment actions, or conditioning treatment or payment on waiving your rights are not allowed.

Workforce members are also protected when whistleblowing to government authorities or accreditation bodies under specific conditions. If you experience retaliation, report it to OCR; retaliation itself can be a separate HIPAA violation.

Summary

You can file a HIPAA complaint with OCR if a HIPAA-covered entity or business associate compromised your health information privacy rights. Submit a timely, well-documented complaint, list all entities involved, and sign it. OCR reviews jurisdiction, investigates as appropriate, and resolves violations through voluntary compliance, corrective actions, or civil money penalties when warranted.

FAQs

Who is eligible to file a HIPAA complaint?

Anyone who believes HIPAA was violated may file, including patients, personal representatives (such as parents, guardians, or executors), and workforce members. Organizations can also file. You do not need to prove a violation before filing—OCR determines that after intake.

What information is required in a HIPAA complaint?

Provide your contact information, the name of each HIPAA-covered entity or business associate involved, dates and facts, how your health information privacy rights were affected, supporting documents, and your signature. If filing for someone else, include proof you are authorized to act for that person.

How long do I have to file a HIPAA complaint?

You generally must file within 180 days of when you knew of the violation. If you missed this window, explain the good cause for the delay so OCR can consider an extension.

What happens after filing a complaint?

OCR reviews timeliness and complaint jurisdiction, may seek more information, and contacts the entity for a response. Outcomes range from technical assistance and voluntary compliance to corrective action plans or civil money penalties in serious cases. OCR keeps you informed but does not award personal monetary damages.