Can You File a HIPAA Complaint Against an Employer? When It Applies and How to Report a Violation

Understanding HIPAA Applicability to Employers

When HIPAA applies to employer activities

HIPAA protects the privacy and security of protected health information (PHI) held by covered entities and their business associates—not by employers in their role as employers. In most workplaces, HIPAA applies through the employer’s group health plan, which is itself a covered entity.

If your employer sponsors a self-funded health plan (or helps administer a fully insured plan), the plan must meet Covered Entities Compliance obligations under the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule. The employer may access only limited PHI for plan administration and must keep that data separate from ordinary HR files.

When HIPAA does not apply

Employment records are not PHI. Documents like sick notes, ADA accommodation forms, drug-test results, or supervisors’ notes kept for employment purposes are generally outside HIPAA. Other laws may govern those records, but a HIPAA complaint would not apply to them.

Similarly, a manager discussing your sick day without ever seeing PHI from the group health plan typically does not trigger HIPAA. The key question is whether PHI from a covered entity or business associate was used or disclosed improperly.

Covered entities and business associates

Covered entities include health plans, most health care providers that bill electronically, and health care clearinghouses. Business associates are vendors handling PHI for those entities—such as third-party administrators, benefits brokers, or cloud services—who must meet Business Associates Obligations via safeguards and contracts.

Some employer on‑site clinics can be covered entities if they provide care and transmit certain transactions electronically. If those clinics handle PHI, HIPAA applies to their records and disclosures.

Identifying HIPAA Violations in the Workplace

Privacy Rule red flags

• Sharing plan PHI with supervisors for hiring, firing, or promotions without an authorization.
• HR or the plan disclosing more than the minimum necessary PHI to people who do not need it.
• Refusing, delaying, or overcharging for an individual’s access to their own plan PHI.
• Failing to provide a Notice of Privacy Practices for the group health plan when required.

Security Rule concerns (ePHI)

• No risk analysis, weak passwords, shared logins, or unencrypted devices storing ePHI.
• Improperly emailing spreadsheets with claims data or eligibility files without safeguards.
• Lack of access controls or audit logs for systems that hold plan enrollment or claims data.

Breach Notification Rule issues

• Not investigating or documenting a suspected PHI incident involving the plan or its vendors.
• Failing to provide timely breach notices to affected individuals and the Office for Civil Rights (OCR).

Ask yourself: Did PHI from the group health plan or its business associates get used or disclosed in a way the HIPAA Privacy Rule or Security Rule does not allow? If yes, a HIPAA complaint may be appropriate.

Internal Reporting Procedures

Who to contact first

Internal reporting is optional, but it can resolve problems quickly. Start with the group health plan’s HIPAA privacy official (often listed in plan materials) or the employer’s benefits department. If a vendor is involved, notify the plan and the vendor’s privacy or security contact.

How to document

• Write a concise timeline: what happened, when, where, and who was involved.
• Identify the type of PHI involved and how you learned of the incident.
• Keep copies of emails, screenshots, or letters that support your account.

You are not required to use internal channels before contacting OCR. Use them if you believe they will help, but do not miss filing deadlines while waiting for an internal response.

Filing a Complaint with the Office for Civil Rights

Step-by-step overview

1. Confirm it is a HIPAA issue (PHI held by a covered entity or business associate, such as a group health plan or its vendors).
2. Gather facts and documents: dates, descriptions, and any evidence showing a Privacy Rule, Security Rule, or Breach Notification Rule problem.
3. File with the Office for Civil Rights (OCR). You can submit online, by mail, or email using OCR’s complaint process.
4. Be clear and specific. Explain how HIPAA requirements were violated and identify the entity involved.
5. Respond promptly to any OCR requests for additional information.

There is no fee to file, and you do not need an attorney. You can file for yourself or, in many cases, on someone else’s behalf.

Complaint Filing Requirements and Timelines

Minimum information to include

• Your name and contact information (and, if applicable, the person you represent).
• The name of the covered entity or business associate (for example, the group health plan or its third‑party administrator).
• What happened, when it happened, and why you believe it violates the HIPAA Privacy Rule, HIPAA Security Rule, or Breach Notification Rule.
• Any steps you took internally and any supporting documents you can share.

Timing rules

• File within 180 days of when you knew, or should have known, about the possible violation.
• OCR may extend the deadline if you show good cause for a late filing.

Submitting early helps preserve details and evidence. If you are unsure whether HIPAA applies, you can still file; OCR will assess jurisdiction.

Investigation and Resolution Process

What OCR does with your complaint

• Intake and jurisdiction review: OCR confirms whether the entity and issue fall under HIPAA.
• Investigation or technical assistance: OCR may seek records, interview witnesses, or work with the entity to fix issues.
• Outcomes: closure with technical assistance, voluntary corrective action, a corrective action plan with monitoring, resolution agreement, or civil money penalties in serious cases.

HIPAA does not provide a private right of action for damages. OCR focuses on system-wide compliance improvements and corrective steps that reduce future risk for you and others.

Your role during the process

• Keep your contact information current and reply promptly to OCR inquiries.
• Update OCR if you observe ongoing issues or retaliation after filing.

Timing varies by case complexity and cooperation. You will receive written notice when OCR resolves or closes the matter.

Protecting Against Retaliation

Your rights and practical steps

HIPAA includes Retaliation Protections. Covered entities and business associates may not intimidate, threaten, coerce, discriminate against, or retaliate against you for filing a complaint, assisting an investigation, or opposing unlawful practices.

• Document potential retaliation immediately—dates, actions, and witnesses.
• Report retaliation to OCR as part of your complaint or as an update.
• Preserve emails, messages, and performance records that show changes after your report.

Bottom line: Determine whether HIPAA applies, collect clear facts tied to the HIPAA Privacy Rule, HIPAA Security Rule, or Breach Notification Rule, and file with OCR within 180 days. Internal reporting can help, but it is optional. If retaliation occurs, escalate it promptly—HIPAA protects your right to speak up.

FAQs

Who Can File a HIPAA Complaint Against an Employer?

Any person or organization may file a complaint with OCR if they believe a covered entity (such as a group health plan) or a business associate violated HIPAA. You can file for yourself or, in many situations, on someone else’s behalf.

What Information Is Required to File a HIPAA Complaint?

Provide your contact information, the name of the covered entity or business associate, a clear description of what happened and when, and any supporting documents. Explain which requirements you believe were violated—the HIPAA Privacy Rule, HIPAA Security Rule, or Breach Notification Rule.

How Long Do You Have to File a HIPAA Complaint?

You generally have 180 days from when you knew, or should have known, about the possible violation. OCR can grant an extension if you demonstrate good cause for filing late.

What Happens After Filing a HIPAA Complaint?

OCR reviews your complaint for jurisdiction, may request more information, and can open an investigation. Outcomes include technical assistance, voluntary compliance, corrective action plans, or, in serious cases, settlement agreements or civil money penalties. You will receive written notice when the matter is resolved or closed.