Can You File a HIPAA Complaint with HIPAA? File with HHS OCR—Here’s How

Determine Eligibility

You do not file a HIPAA complaint “with HIPAA.” You file with the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR). Start by confirming that your concern involves a HIPAA violation and that the organization is subject to HIPAA.

Who can be the subject of your complaint

A covered entity includes health care providers, health plans, and health care clearinghouses. A business associate is a vendor or subcontractor that creates, receives, maintains, or transmits protected health information for a covered entity (for example, a billing service, cloud storage provider, or e‑prescribing vendor).

What counts as a HIPAA violation

Common issues include impermissible uses or disclosures of PHI, failure to implement reasonable safeguards, denial or delay of the right of access, inadequate breach notification, or lacking required policies, training, and risk analysis. Retaliation for exercising HIPAA rights is also prohibited.

Who may file

You may file for yourself, for someone else as a personal representative, or as a workforce member reporting concerns. If your issue is about matters outside HIPAA (for example, billing disputes without PHI concerns), OCR may not be the correct forum.

Gather Necessary Information

Collect clear, factual details so OCR can quickly determine jurisdiction and next steps. Provide only what is needed; keep originals and submit copies when possible.

Essential details to collect

• Name of the covered entity or business associate and relevant department or location.
• Dates, times, and a concise description of what happened and why you believe it is a HIPAA violation.
• Your contact information and preferred method of communication.
• If filing for someone else, your relationship and authority to act.

Evidence to include (safely)

• Copies of letters, emails, portal messages, or right of access requests and responses.
• Policies or notices you received and any screenshots or photographs that illustrate the issue.
• Names of individuals involved and potential witnesses.

Privacy and precision

Redact sensitive details that are unnecessary to explain the event. Use dates, document titles, and short, objective statements rather than speculation.

Choose a Submission Method

OCR accepts complaints in several formats. Choose the option that lets you submit a complete, timely, and signed complaint.

OCR Complaint Portal (recommended)

The OCR Complaint Portal guides you step by step, lets you attach files, and provides a confirmation of submission. It is typically the fastest way to file and track your complaint.

Mail or fax using the complaint form

You can print and sign the complaint form and send it to OCR. If you cannot access the portal, this method is a reliable alternative. Keep a copy and proof of delivery for your records.

Accessibility and language support

OCR provides reasonable accommodations and language assistance. If you need help completing or submitting your complaint, request assistance when you contact OCR.

Understand the Filing Deadline

The filing deadline is generally 180 days from when you knew, or should have known, about the potential HIPAA violation. File as soon as you can to preserve your rights and evidence.

Good cause extensions

OCR can extend the filing deadline if you show good cause, such as serious illness, incapacitation, or other circumstances beyond your control. Explain the reason and provide any supporting documentation.

Practical tips

• If an issue is ongoing, note that it is continuing and list the most recent date.
• Submit now with what you have; you can supplement later rather than risking a missed filing deadline.

Anticipate the Investigation Process

After you file, OCR screens your complaint for jurisdiction and timeliness. You may receive requests for clarification or additional documents.

What OCR typically does

• Determines whether the entity is a covered entity or business associate and whether HIPAA applies.
• Asks the entity for records, policies, training logs, security analyses, and responses to your allegations.
• Interviews relevant personnel and evaluates safeguards and breach response, if applicable.

Possible outcomes

• Technical assistance or voluntary compliance when issues are minor or quickly remediated.
• Corrective action through a resolution agreement or corrective action plan with monitoring.
• Civil monetary penalty if violations persist or are serious and unresolved.

OCR does not award personal damages. Its role is to enforce compliance and require corrective action; penalties, when imposed, are paid to the U.S. government.

Recognize Anti-Retaliation Protections

Covered entities and business associates may not intimidate, threaten, coerce, or discriminate against you for filing a HIPAA complaint or participating in an OCR investigation. This protection applies to patients and workforce members acting in good faith.

If retaliation occurs

• Document what happened, when, and who was involved.
• Report the retaliation to OCR promptly as a separate allegation.
• Preserve emails, texts, schedules, or performance records that reflect the change in treatment.

Bottom line: You file with HHS OCR—not “with HIPAA.” Confirm eligibility, gather precise facts, choose a submission method (the OCR Complaint Portal is often best), file within the 180‑day filing deadline, understand how investigations proceed, and rely on anti‑retaliation protections if needed.

FAQs.

How do I file a HIPAA complaint with HHS OCR?

Identify the covered entity or business associate and describe the HIPAA violation with dates and facts. Submit through the OCR Complaint Portal or by mailing/faxing the signed complaint form with your attachments. Keep copies of everything you send, and respond promptly if OCR requests more information.

What information is required to submit a HIPAA complaint?

You should provide your contact details, the name and location of the covered entity or business associate, the dates and description of what happened, and supporting documents (such as correspondence or access requests). If filing for someone else, include your relationship and authority. Indicate whether you request confidentiality.

What happens after I file a complaint?

OCR screens your complaint for timeliness and jurisdiction, then may open an investigation and request records from the entity. Outcomes range from technical assistance and voluntary corrective action to a formal corrective action plan or, in serious cases, a civil monetary penalty. OCR informs you when the matter is resolved or closed.

Can I file a HIPAA complaint anonymously?

OCR needs enough information to evaluate and correspond about your complaint. You can ask OCR not to share your identity with the entity, but fully anonymous submissions limit OCR’s ability to investigate and to update you on the outcome. Providing contact information generally leads to a more actionable review.