Can You File a HIPAA Complaint for a Breach of Confidentiality? How to Report It and What to Expect

Yes. If you believe your protected health information (PHI) was disclosed, used, or accessed improperly, you can file a HIPAA complaint with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). This guide explains how to report a breach of confidentiality, what happens next, and how to protect yourself during the process.

Whether the issue involves a HIPAA-covered entity such as a health plan, provider, or health care clearinghouse—or a business associate acting on their behalf—you have clear options to pursue accountability and corrective action.

Filing a HIPAA Complaint

Where and how to file

The fastest way to submit a complaint is through the OCR Complaint Portal. You may also file by mail or email using OCR’s complaint form. Complaints can be filed by the individual affected, a personal representative, or someone who witnesses a potential violation.

What to include in your complaint

• Who: Name of the HIPAA-covered entity or business associate and, if known, its privacy officer.
• What: A clear description of what happened and why you believe the HIPAA Privacy Rule was violated (for example, disclosure of unsecured protected health information).
• When and where: Dates, times, and locations of the incident(s), plus any supporting documentation or screenshots.
• Impact: Any harm or risks (identity theft exposure, embarrassment, financial fraud attempts), even if harm is not required to file.
• Contact information: How OCR can reach you for follow-up.

Key tips for a strong submission

• Confirm the respondent is subject to HIPAA (a covered entity or its business associate).
• Organize events in a timeline and attach evidence (letters, emails, audit screenshots, statements).
• Keep your description factual, concise, and focused on PHI and confidentiality issues.

Reporting a Breach of Confidentiality

What counts as a potential breach

A breach generally means an impermissible use or disclosure of PHI that compromises its privacy or security. Examples include sending records to the wrong patient, employee snooping without a job-related need, discussing PHI in public areas, or losing a device containing unencrypted PHI.

“Unsecured” vs. “secured” PHI

Breaches typically involve unsecured protected health information—PHI that is not properly encrypted or otherwise rendered unreadable. If PHI is secured (for example, strongly encrypted), an incident may not be a reportable breach under HIPAA.

Role of breach notification requirements

Covered entities must assess incidents and, when a reportable breach occurs, notify affected individuals and OCR under HIPAA’s breach notification requirements. If you learn of a breach affecting you, mention any notices you received when filing your complaint.

Internal Reporting Procedures

Start with the organization when appropriate

If it’s safe to do so, report concerns directly to the provider or plan’s privacy officer or compliance hotline. Ask for the issue to be logged, investigated, and corrected. Keep copies of your report and any responses you receive.

You can still go to OCR

Internal reporting is optional; you retain the right to file with the Office for Civil Rights (OCR) at any time. If the organization confirms a breach but fails to notify you or take corrective action, include that information in your OCR submission.

Investigation and Resolution

What OCR does with your complaint

OCR reviews whether it has jurisdiction and whether the facts suggest a potential HIPAA violation. If the complaint proceeds, OCR may request records, interview witnesses, and examine the entity’s policies, training, and safeguards.

Possible outcomes

• No violation or insufficient evidence: OCR closes the matter and notifies you.
• Technical assistance: OCR educates the entity and expects corrective steps.
• Corrective Action Plan or Resolution Agreement: The entity commits to remediation and monitoring.
• Enforcement: In serious or persistent cases, OCR may impose civil money penalties.

OCR’s actions focus on compliance improvements. Monetary penalties, if assessed, are paid to the government, not to individual complainants.

Understanding HIPAA Privacy Rules

Who is covered

HIPAA applies to HIPAA-covered entities—health plans, most health care providers, and clearinghouses—and to each business associate that handles PHI for them. If your complaint involves an organization outside HIPAA’s scope, OCR may close the case or refer it to a more appropriate regulator.

Core principles that often arise in complaints

• Minimum necessary: Limit PHI use and disclosure to what’s reasonably needed.
• Access controls: Workforce members should view PHI only for job-related purposes.
• Safeguards: Administrative, physical, and technical measures must protect confidentiality and security.
• Breach assessment: Entities must evaluate incidents and act when PHI is compromised, especially if it is unsecured protected health information.

Timelines for Filing Complaints

In general, you must file within 180 days of when you knew or should have known about the potential violation. OCR may extend this deadline if you can show good cause for a delay. If the issue is ongoing, explain the continuing nature in your complaint.

Preventing Retaliation Against Complainants

HIPAA prohibits covered entities and business associates from intimidating, threatening, coercing, or discriminating against you for filing a complaint, assisting an investigation, or exercising your rights. If you experience retaliation, document it and include those facts in your OCR complaint.

Ask the organization’s privacy officer to address any retaliation concerns immediately. Continued retaliation can itself be a compliance issue subject to enforcement.

FAQs

What is considered a breach of confidentiality under HIPAA?

A breach is an impermissible use or disclosure of PHI that compromises its privacy or security, such as misdirected records, unauthorized snooping, public conversations revealing identifiable information, or lost devices containing unsecured protected health information.

How do I file a HIPAA complaint for a breach?

Submit your HIPAA complaint through the OCR Complaint Portal, or by mail or email using OCR’s form. Include who was involved (the HIPAA-covered entity or business associate), what happened, when and where it occurred, why it violates HIPAA, and any supporting documents.

What happens after I file a HIPAA complaint?

OCR determines jurisdiction and investigates as warranted. Outcomes range from technical assistance to corrective action plans, resolution agreements, or civil money penalties in serious cases. You will be notified when the matter is closed.

Can I file a complaint anonymously?

You may submit information without identifying yourself, but OCR generally needs contact details to investigate effectively and communicate about the case. Anonymous reports can still help trigger compliance reviews, especially when detailed and well-documented.