HIPAA Complaint Requirements and Timelines for Covered Entities and Privacy Officers

Filing a HIPAA Complaint

Individuals may file a complaint if they believe a covered entity or business associate violated the HIPAA Privacy, Security, or Breach Notification Rules. Complaints can be submitted to the organization’s privacy officer and/or to the U.S. Department of Health and Human Services Office for Civil Rights (OCR).

Eligibility and timing

You generally must file with OCR within 180 days from when you knew of the alleged violation. OCR may extend this deadline for good cause, but you should file as soon as possible to preserve your rights and evidence.

What to include

• Your name and contact information (or an authorized representative’s).
• The name of the covered entity or business associate involved.
• Dates of the incident(s) and a clear description of what happened involving Protected Health Information (PHI).
• Any supporting documents or screenshots, and your signature or attestation.

Internal versus external paths

Your provider or health plan’s Notice of Privacy Practices explains how to submit concerns internally without retaliation. You may also go directly to OCR regardless of whether you used internal channels.

Complaint Submission Methods

Online submission

OCR accepts electronic complaints through the OCR Complaint Portal. This is typically the fastest path because it structures key fields, supports attachments, and generates a tracking number.

Mail, email, or fax

You may send a written complaint to the appropriate OCR regional office by mail, email, or fax. Keep copies of everything you send, including proof of delivery and a list of attachments.

Internal Reporting Procedures

Covered entities should maintain accessible Internal Reporting Procedures—such as an inbox, hotline, or web form—to capture complaints for the privacy officer. Acknowledging receipt promptly and documenting next steps helps preserve trust and creates a defensible record.

Roles of Covered Entities and Business Associates

Covered entities

Covered entities must designate a privacy official, maintain policies for receiving complaints, and prohibit retaliation. They should evaluate alleged uses or disclosures of PHI, apply sanctions where appropriate, mitigate harm, and communicate outcomes consistent with policy and the Notice of Privacy Practices.

Business associates

Business associates are directly liable for certain HIPAA requirements. They must implement safeguards, cooperate with investigations, and report breaches to the covered entity without unreasonable delay. Business associate agreements should set expectations for incident reporting, cooperation, and record sharing.

Coordination and timelines

While HIPAA sets few fixed timelines for internal complaint handling, establishing service levels (for example, rapid acknowledgment and measured time-to-resolution) improves consistency. The privacy officer should escalate high-risk matters immediately and document rationale for all timing decisions.

OCR Investigation Process

Intake and jurisdiction

OCR reviews whether the complaint is timely, within its jurisdiction, and states a potential violation. If accepted, OCR notifies the entity and requests information about policies, workforce training, risk analyses, and relevant logs.

Evidence requests and assessments

Entities may be asked for copies of policies, system screenshots, audit trails, risk assessments, and communications with the complainant. Clear, complete responses and transparent remediation can shorten the process and reduce exposure.

Resolution pathways

• Closure with technical assistance when no persistent noncompliance is found.
• Voluntary compliance or Resolution Agreements with Corrective Action Plans (CAPs) that require specific steps, monitoring, and reporting.
• Where warranted, Civil Monetary Penalties (CMPs) based on the nature and extent of the violation and harm.

Investigation timelines vary by complexity and workload; some cases close quickly, while others take many months or longer.

Retaliation Protections and Reporting

Prohibitions on retaliation

HIPAA forbids intimidation, threats, coercion, discrimination, or retaliation against anyone who files a complaint, participates in an investigation, or opposes unlawful practices. Entities may not require individuals to waive their HIPAA rights as a condition of treatment, payment, or enrollment.

How to report retaliation

Report retaliation internally to the privacy officer and externally to OCR. Preserve messages, performance notes, schedule changes, or other evidence. Document the timeline and affected PHI to support prompt investigation.

Documentation Requirements for Complaints

Required records

Covered entities must maintain documentation of complaints and their disposition—often referred to as Complaint Disposition Documentation—for at least six years from the date of creation or last effective date. Keep intake records, risk assessments, decisions, and communications.

Content of the file

• Complaint intake details, including dates and participants.
• Description of the alleged event and PHI involved.
• Applicable policies, workforce actions, and mitigation steps.
• Final determination, rationale, and notifications provided.

Program improvement

Aggregate complaint trends should inform training, sanctions, policy updates, and system controls. Regular reviews help the privacy officer demonstrate continuous improvement and readiness for OCR inquiries.

Breach Reporting Obligations

Determining whether a breach occurred

A breach is an impermissible acquisition, access, use, or disclosure of unsecured PHI that compromises privacy or security, unless an exception applies. Conduct a risk assessment considering the nature of PHI, the unauthorized recipient, whether PHI was actually viewed, and mitigation.

Notification timelines

• Individuals: Without unreasonable delay and no later than 60 calendar days after discovery.
• HHS: For breaches affecting 500 or more individuals, without unreasonable delay and no later than 60 days after discovery; for fewer than 500, no later than 60 days after the end of the calendar year.
• Media: For breaches affecting 500 or more residents of a state or jurisdiction, notify prominent media outlets without unreasonable delay and within 60 days.
• Business associates: Must notify the covered entity without unreasonable delay and no later than 60 days after discovery, supplying details to support notifications.

Notification content

Provide a description of what happened, types of PHI involved, steps individuals should take, what the entity is doing to investigate and mitigate, and contact methods for questions. Document every decision and notice provided.

Key takeaways

• File HIPAA complaints promptly—OCR’s general deadline is 180 days from awareness of the event.
• Use the OCR Complaint Portal or written methods; maintain strong internal channels.
• Expect requests for policies, risk analyses, and logs; outcomes range from technical assistance to CAPs or CMPs.
• Never retaliate; maintain robust documentation and timely breach notifications.

FAQs

What is the deadline for filing a HIPAA complaint?

You generally must file with OCR within 180 days of when you knew of the alleged violation. OCR may grant an extension for good cause, but filing quickly preserves evidence and improves review efficiency.

How does OCR investigate HIPAA complaints?

OCR screens for jurisdiction and timeliness, notifies the entity, and requests records such as policies, training, audit logs, and risk assessments. It may close with technical assistance, require a Resolution Agreement with a Corrective Action Plan, or impose Civil Monetary Penalties when warranted.

What protections exist against retaliation for complainants?

HIPAA prohibits intimidation or retaliation against anyone who files a complaint or participates in an investigation. Entities cannot require a waiver of HIPAA rights, and internal policies should clearly state non-retaliation and how to report concerns.

How must covered entities document HIPAA complaints?

Entities must retain Complaint Disposition Documentation for at least six years. Each file should capture intake details, facts and PHI involved, analysis, mitigation, final decisions, and communications, consistent with Internal Reporting Procedures and the Notice of Privacy Practices.