Can You File a HIPAA Complaint for Harassment? What Qualifies and How to File

Understanding HIPAA Complaint Eligibility

When a HIPAA complaint makes sense

You can file a HIPAA complaint when the harassment involves your protected health information (PHI) or interferes with your Health Information Privacy Rights. If someone misuses, wrongfully discloses, or accesses your PHI to intimidate, embarrass, or pressure you, that conduct can trigger HIPAA enforcement.

Who may file and against whom

Any person may submit a complaint—patients, personal representatives, employees, or bystanders. The complaint must involve a HIPAA-covered Entity (such as a healthcare provider, health plan, or healthcare clearinghouse) or a Business Associate that handles PHI for one of those entities.

What HIPAA covers—and does not

• Covered: Privacy, Security, and Breach Notification violations affecting PHI; refusal to honor access or confidentiality requests; failure to safeguard electronic PHI; intimidation or retaliation tied to exercising HIPAA rights.
• Not covered: General rudeness or workplace disputes that do not involve PHI. Those issues may fall under HR policies, labor laws, or civil rights laws—not HIPAA.

Defining Harassment under HIPAA

How HIPAA views “harassment”

HIPAA does not define harassment as a standalone category. Instead, conduct becomes a HIPAA issue when PHI is used or exposed improperly in a way that harasses, threatens, or coerces you, or when your privacy choices are ignored.

Examples that may qualify

• A staff member repeatedly accessing your record without a care-related reason to contact or intimidate you.
• Sharing your diagnoses or medications with an ex-partner or co-worker to embarrass you.
• Leaving detailed voicemail messages after you requested confidential communications at a different number or address.
• Ignoring requests to restrict disclosures and using PHI to pressure you into services or payments.

What likely does not qualify

Unprofessional tone, slow service, or scheduling conflicts—without any PHI misuse—typically do not create a HIPAA violation, though other complaint paths may apply.

Filing a Written HIPAA Complaint

Where to submit

File with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). You may submit online through the OCR Complaint Portal or send a written complaint by mail, email, or fax to OCR.

What to include

• Your name and contact information (and whether you request confidentiality).
• The name, address, and type of organization (HIPAA-covered Entity or Business Associate).
• A clear description of what happened, including dates, who was involved, and how PHI was used or disclosed.
• Which Health Information Privacy Rights you believe were violated (for example, right of access or confidential communication).
• Copies of supporting materials: messages, screenshots, notices, policies, or logs that show the events.
• Your signature and the date (the OCR Complaint Portal accepts electronic signatures).
• If filing for someone else, your authority to act (e.g., legal representative documentation).

Practical tips

• Write a short timeline to keep facts organized and focused.
• Use neutral language; stick to what was said or done and who had PHI.
• Redact unrelated sensitive details before attaching documents.

Meeting Filing Deadlines

Know the clock

As of November 2025, you generally have 180 days from when you knew—or should have known—about the violation to file with OCR. OCR may extend this period for good cause, so explain any delays clearly.

Don’t wait on internal processes

Using a provider’s grievance process does not pause the OCR deadline. If you’re approaching 180 days, file with OCR while you continue any internal or parallel complaints.

Following the HIPAA Complaint Process

Intake and jurisdiction

OCR first checks whether the accused organization is a HIPAA-covered Entity or Business Associate and whether the allegations, if true, would violate HIPAA. If not, OCR may refer you to a more appropriate agency.

The Complaint Investigation Process

If OCR opens a case, it requests records and explanations, interviews witnesses, and evaluates policies, safeguards, and training. Many matters resolve through technical assistance or voluntary corrective action; others lead to formal findings.

Possible outcomes

• Closure with technical assistance or corrective steps taken by the entity.
• Resolution agreements and corrective action plans to fix deficiencies.
• Civil money penalties for serious or persistent noncompliance.

OCR’s HIPAA enforcement focuses on compliance. Individuals do not receive damages through OCR, though separate state-law remedies may exist.

Protecting Against Retaliation

Retaliation Prohibition

HIPAA forbids intimidation, threats, coercion, or discrimination because you exercised your rights, filed a complaint, or participated in an investigation. This Retaliation Prohibition applies to covered entities and their business associates.

If retaliation occurs

• Document what happened (dates, names, communications) and keep copies.
• Tell OCR promptly; retaliation itself can be a separate HIPAA violation.
• Consider additional protections under whistleblower, employment, or civil rights laws if the conduct affects your job or access to care.

Exploring State and Federal Filing Options

Where else you can turn

• State Attorneys General: Some enforce HIPAA-related privacy breaches and state medical privacy laws.
• Civil Rights Agencies: Harassment tied to protected traits (for example, sex, race, disability) may fall under federal or state civil rights laws separate from HIPAA.
• Professional Licensing Boards: For clinician conduct that violates professional standards.
• Law Enforcement: For stalking, threats, or criminal misuse of health data.
• Administrative Simplification Requirements: Issues about transactions, code sets, or identifiers may be handled under separate federal enforcement channels outside OCR.

Conclusion

If harassment involves PHI misuse or blocks your HIPAA rights, you can file with OCR—preferably through the OCR Complaint Portal—with a clear timeline, evidence, and prompt attention to the 180‑day deadline. Understand what HIPAA covers, use the proper channels, and assert your rights while documenting any retaliation.

FAQs.

Can harassment be reported under HIPAA privacy rules?

Yes—when the harassment involves PHI misuse or interference with your HIPAA rights (for example, wrongful disclosures or refusing confidential communications). Purely interpersonal conflicts without PHI involvement are usually not HIPAA issues.

What information is needed to file a HIPAA complaint?

Provide your contact details, the organization’s identity and role (HIPAA-covered Entity or Business Associate), a fact-based description with dates, how PHI was involved, which Health Information Privacy Rights were affected, supporting documents, and your signature. If filing for someone else, include proof of authority.

How long do I have to file a HIPAA complaint?

Generally 180 days from when you knew—or should have known—about the violation. Explain any good-cause reasons for filing late; OCR may grant extensions.

Can I file a complaint directly with a healthcare provider?

You can report concerns to the provider’s privacy officer, but that does not replace filing with OCR. To seek federal enforcement, submit a written complaint to OCR (often easiest through the OCR Complaint Portal) within the 180‑day timeframe.