HIPAA Complaint and Breach Reporting: HHS OCR Checklist for Covered Entities

This checklist distills what covered entities and business associates must do to meet the HIPAA Privacy Rule and Breach Notification Rule, and how to work with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Use it to guide internal procedures, coach workforce members, and prepare documentation that stands up during compliance enforcement.

Filing a HIPAA Complaint

Anyone who believes a covered entity or business associate violated the HIPAA Privacy Rule, Security Rule, or Breach Notification Rule can file a complaint with the HHS Office for Civil Rights (OCR). Complaints generally must be submitted within 180 days from when the person knew of the potential violation; OCR may extend this for good cause.

Where and how to file

• Submit online via the HHS OCR complaint portal, or send by mail or email to OCR regional offices.
• You may also notify the organization’s privacy or compliance office, but that does not replace filing with OCR.
• Organizations should make complaint channels clear and accessible to patients and workforce members.

What to include

• Your name and contact information (or indicate if you prefer to remain anonymous to the entity).
• The name of the covered entity or business associate, locations involved, and dates of the incident(s).
• A concise description of what happened, the HIPAA rules you believe were violated, and any witnesses or documents.

Entity response readiness

• Maintain policies describing non-retaliation and how complaints are triaged and investigated.
• Document every step: intake, fact-finding, remediation, and communications with OCR.
• Provide timely technical assistance or corrective action when issues are substantiated.

Breach Notification Requirements

A breach is an impermissible use or disclosure of protected health information (PHI) that compromises its security or privacy. A breach of unsecured protected health information is presumed unless an exception applies or a risk assessment shows a low probability of compromise.

Risk assessment factors

• Nature and extent of PHI involved (identifiers and likelihood of re-identification).
• The unauthorized person who used or received the PHI.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (e.g., recovery of data, confidentiality assurances).

Timelines and audiences

• Individuals: Notify without unreasonable delay and no later than 60 calendar days after discovery.
• Media: If a breach affects 500 or more residents of a state or jurisdiction, notify prominent media outlets serving that area within 60 days.
• Secretary of HHS: See “Reporting Breaches to the Secretary.”
• Business associates: Must notify the covered entity without unreasonable delay and no later than 60 days after discovery, identifying affected individuals and supplying known details.

Content of individual notice

• A brief description of what happened, including the date of the breach and the date of discovery.
• The types of unsecured protected health information involved (e.g., name, Social Security number, diagnosis).
• Steps individuals should take to protect themselves.
• What the organization is doing to investigate, mitigate harm, and prevent recurrence.
• Contact methods for questions (toll-free number, email, or postal address).

Delivery and special cases

• Use first-class mail or email if the individual has agreed to electronic notice.
• If contact information for 10 or more individuals is insufficient, provide substitute notice (e.g., website posting for at least 90 days and a toll-free number).
• Delay permitted if a law enforcement official determines notice would impede an investigation; document the request and resume notice when allowed.

Reporting Breaches to the Secretary

OCR requires covered entities to report breaches through the HHS breach reporting portal. A business associate does not report directly unless acting on behalf of a covered entity under a business associate agreement.

Thresholds and deadlines

• 500 or more affected individuals: Report to the Secretary without unreasonable delay and in no case later than 60 calendar days after discovery.
• Fewer than 500 affected individuals: Log each breach and submit the annual report to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred.

Information typically required

• Contact information for the reporting organization and a designated representative.
• Breach dates, discovery date, and number of individuals affected.
• Type and location of PHI (paper, email, network server, laptop, etc.) and whether the PHI was encrypted or destroyed.
• Cause of breach (e.g., hacking/IT incident, unauthorized access/disclosure, theft, loss) and mitigation steps.
• Notice details to individuals and, if applicable, to media.

Submit one report per incident. Keep contemporaneous documentation supporting your risk assessment, notification decisions, and remedial actions in case OCR initiates a compliance review.

OCR's Enforcement Process

OCR enforces HIPAA through complaint investigations, breach-triggered compliance reviews, and audits. The process is designed to drive corrective action and, when warranted, impose civil monetary penalties.

Typical stages

• Intake and jurisdiction: OCR screens complaints and breach reports to confirm applicability to HIPAA-regulated covered entities or business associates.
• Preliminary review: OCR requests information to assess potential violations of the HIPAA Privacy Rule, Security Rule, or Breach Notification Rule.
• Investigation: Document requests, interviews, and, if needed, on-site visits focusing on policies, workforce training, risk analysis, access controls, and incident response.
• Findings and resolution: Outcomes may include technical assistance, voluntary compliance, a resolution agreement with a corrective action plan (CAP), or civil monetary penalties for unresolved or willful neglect violations.

Corrective action plan (CAP) expectations

• Policy and procedure updates mapped to the rule requirements.
• Comprehensive security risk analysis and risk management plan for ePHI.
• Workforce training and attestations.
• Independent or internal monitoring, reporting to OCR, and executive oversight.

Penalty considerations

• Nature and extent of violations and resulting harm.
• Number of individuals affected and duration of noncompliance.
• History of prior violations and the entity’s financial condition.
• Whether the entity corrected the violation within 30 days and evidence of willful neglect.

Maintain an incident response program that integrates privacy and security, keeps decisions evidence-based, and documents mitigation. Thorough records often allow OCR to resolve matters with technical assistance or targeted CAPs rather than penalties.

Breach Notification Rule

The Breach Notification Rule applies when unsecured protected health information is compromised. “Unsecured” means PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through technologies such as strong encryption or destruction consistent with recognized standards.

Key exceptions to “breach”

• Unintentional acquisition, access, or use by a workforce member or person acting under authority, if in good faith and within scope, and no further impermissible use or disclosure occurs.
• Inadvertent disclosure from one authorized person to another within the same covered entity or business associate, with no further impermissible use or disclosure.
• Good-faith belief that the unauthorized recipient could not reasonably have retained the information.

Discovery and reasonable diligence

• Discovery occurs on the first day the breach is known—or would have been known with reasonable diligence—by any workforce member or agent.
• Train workforce to escalate incidents immediately so discovery is promptly recorded and timelines start accurately.

Conclusion

For covered entities and business associates, rapid triage, documented risk assessment, timely notices, and proactive remediation are the pillars of HIPAA compliance. Align your processes to the HIPAA Privacy Rule and Breach Notification Rule, keep evidence of every decision, and engage early with the Office for Civil Rights to reduce risk and strengthen trust.

FAQs.

Which agency handles HIPAA complaint investigations?

The Department of Health and Human Services Office for Civil Rights investigates HIPAA complaints and conducts compliance enforcement under the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

What is the deadline for reporting HIPAA breaches?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For breaches affecting 500 or more individuals, also notify the Secretary of HHS within 60 days (and the media if 500+ residents of a state or jurisdiction). For fewer than 500, report to the Secretary no later than 60 days after the end of the calendar year. Business associates must notify the covered entity within the same 60-day outer limit.

How are HIPAA breach notifications submitted to HHS?

Covered entities submit breach reports through OCR’s online breach reporting portal, providing incident details, affected counts, notice dates, mitigation, and a contact person. File one submission per incident and retain all supporting documentation for potential OCR review.

What protections exist against retaliation for filing HIPAA complaints?

HIPAA prohibits covered entities and business associates from intimidating, threatening, coercing, discriminating against, or retaliating against any person for filing a complaint, participating in an investigation, or opposing unlawful practices. Organizations should maintain clear non-retaliation policies, train supervisors, and provide safe reporting channels.