HIPAA Negligence Complaint Guide: Build Your Case and File with HHS OCR

You can hold organizations accountable for negligent handling of your protected health information (PHI). This guide shows you how to confirm HIPAA coverage, assemble persuasive HIPAA violation documentation, complete the required forms, submit to the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR), understand complaint investigation steps, and meet the complaint filing deadline.

Determine Eligibility of Covered Entities

Confirm HIPAA coverage

HIPAA applies to a covered entity or a business associate that handles PHI. Covered entities include health plans, most health care providers that transmit health information electronically for standard transactions, and health care clearinghouses. Business associates are vendors or contractors (for example, billing services, cloud providers, or legal/IT firms) that create, receive, maintain, or transmit PHI for a covered entity.

Match your issue to HIPAA scope

HIPAA negligence generally involves failures to safeguard PHI or improper uses/disclosures, such as misdirected emails or faxes, lost unencrypted devices, weak access controls, or untrained staff. If your issue involves PHI held by a covered entity or its business associate, OCR can evaluate it. If the entity is not subject to HIPAA, you may still have other options, but OCR will not have jurisdiction.

Identify all responsible parties

When a business associate is involved, you can name both the business associate and the covered entity in your complaint. List legal names and any locations involved so OCR can determine jurisdiction and responsibility accurately.

Gather Detailed Incident Information

Capture the essentials

Write a clear, chronological account of what happened: who was involved, what PHI was exposed or misused, when and where events occurred, and how you discovered the issue. Include dates, times, locations, system names, and the roles of people involved.

HIPAA violation documentation checklist

• Evidence of the incident (emails, screenshots, letters, audit logs, misdirected records, breach notices).
• Copies of the entity’s Notice of Privacy Practices or statements relevant to the event.
• Your communications with the entity (names, dates, and summaries of calls or messages).
• Witness names and contact details, if any.
• Impact details (for example, identity theft steps taken or time spent mitigating harm).

Organize for clarity

Label files with dates and brief descriptions, keep originals unaltered, and create a single timeline document referencing each piece of evidence. Strong organization helps OCR quickly understand the facts and strengthens your negligence claim.

Complete Complaint Forms

Choose your filing method

OCR Complaint Portal

The OCR Complaint Portal lets you submit online, attach documents, and receive a confirmation number. It is typically the most efficient route and allows you to supplement evidence after filing if OCR requests more information.

Health Information Privacy Complaint Form

If you prefer offline filing, complete the Health Information Privacy Complaint Form and include copies of your evidence. Ensure every section is filled out completely to avoid delays.

Provide complete, precise details

• Your contact information and whether you file for yourself or on someone’s behalf.
• The covered entity and/or business associate’s legal name(s), address(es), and points of contact.
• Incident dates, a concise narrative of what occurred, and the specific types of PHI involved.
• Why you believe the conduct reflects negligence (e.g., inadequate safeguards, unauthorized disclosure).
• Attachments that support your account, along with a certification that your statements are true.

Write a focused allegation

Lead with the core violation, then provide the most persuasive facts and the key documents that prove it. Keep the narrative factual and organized; avoid speculation and stick to observable details.

Submit Complaint to OCR

File and retain proof

Submit via the OCR Complaint Portal or by sending the completed Health Information Privacy Complaint Form with copies of your evidence. Save your submission confirmation or mailing proof, and keep a copy of everything you send.

After submission

OCR typically acknowledges receipt and may ask for additional details. Respond promptly and completely. If your case involves multiple organizations, OCR may contact each one; be prepared to clarify roles and timelines.

If several incidents occurred

When there is a pattern or multiple related events, describe the series and attach a timeline showing each date and document. Clear pattern evidence can support a broader inquiry into systemic negligence.

Understand Investigation Process

Intake and jurisdiction

OCR first determines whether your complaint is timely, within HIPAA’s scope, and directed at a covered entity or business associate. If jurisdiction is lacking, OCR may close the matter or suggest alternate avenues.

Early resolution vs. complaint investigation

Some matters are resolved quickly through technical assistance or early resolution. Others proceed to a complaint investigation, where OCR requests records, policies, and logs, interviews personnel, and evaluates the entity’s safeguards and responses.

Outcomes you may see

Possible outcomes include closure with no violation, corrective action or technical assistance, or a resolution agreement and monitoring. For serious noncompliance, OCR can pursue civil monetary penalties or refer matters for criminal review when appropriate.

Follow Filing Deadlines

Know the complaint filing deadline

HIPAA complaints are generally due within a set period from when you knew about the alleged violation or negligence. File as soon as possible; waiting risks missing the complaint filing deadline.

Good-cause extensions

If you could not file on time due to circumstances such as incapacity or delayed discovery, explain the reasons and provide supporting documentation. OCR may allow late filing for good cause.

Track and respond promptly

Note every key date in your timeline: incident date, discovery date, and submission date. Internal grievances with the entity do not automatically pause OCR timelines, so keep your filing on track and reply to any OCR requests by the stated dates.

Conclusion

Build your case by confirming HIPAA coverage, assembling clear HIPAA violation documentation, completing the OCR Complaint Portal or Health Information Privacy Complaint Form thoroughly, and submitting a well-organized package. Understanding what OCR reviews and staying ahead of deadlines will maximize the impact of your negligence complaint.

FAQs

How do I know if an entity is covered by HIPAA?

HIPAA covers health plans, most health care providers that send health information electronically for standard transactions, and health care clearinghouses. Vendors that handle PHI on their behalf are business associates and are also subject to HIPAA obligations. If your issue involves PHI managed by any of these, OCR likely has jurisdiction.

What information is required to file a negligence complaint?

You need your contact details; the covered entity and/or business associate’s information; dates and locations; a factual narrative describing what happened; the types of PHI involved; and supporting evidence. Attach relevant documents and certify the accuracy of your statements.

Can I file a HIPAA complaint online?

Yes. You can file through the OCR Complaint Portal, which lets you upload documents and receive a confirmation number. You can also file by mailing the Health Information Privacy Complaint Form with copies of your evidence.

What happens after I submit my complaint to OCR?

OCR reviews timeliness and jurisdiction, may request more information, and decides between technical assistance, early resolution, or a formal complaint investigation. Outcomes range from closure with no violation to corrective actions, monitoring, or enforcement measures when warranted.