HIPAA Violation Complaint Form: How to File with HHS OCR (Step-by-Step)

Determine Eligibility for Complaint

Start by confirming that your issue is a potential HIPAA violation and that the U.S. Department of Health and Human Services’ Office for Civil Rights (HHS OCR) has authority to act. HIPAA applies to covered entities—most health plans, health care providers, and health care clearinghouses—and to their business associates that handle protected health information (PHI) on their behalf.

Eligible complaints typically involve the HIPAA Privacy Rule, Security Rule Compliance, or Breach Notification Requirements. Examples include unauthorized uses or disclosures of PHI, denial of timely access to your records, lack of reasonable safeguards for electronic PHI, or failure to provide required breach notices. If the subject is not a covered entity or a business associate, OCR may lack jurisdiction.

You can file on your own behalf, as a personal representative, or as a third party. If you are a representative, be prepared to show authority (for example, a power of attorney or court order). Focus your complaint on specific incidents, dates, and the Covered Entity Obligations you believe were violated.

Gather Required Complainant Information

Collect clear, complete details before you begin the HIPAA violation complaint form. Preparing this information upfront helps OCR review your submission faster and reduces follow-up requests.

Complainant and incident details

• Your name, mailing address, phone number, and email, plus your preferred contact method and language.
• The name and contact information of the covered entity or business associate involved.
• The date(s) of the incident(s) and a concise description of what happened, explaining which HIPAA Privacy Rule, Security Rule Compliance, or Breach Notification Requirements may have been violated.
• Whether OCR may disclose your identity to the entity during the investigation.

Supporting evidence

• Copies of correspondence, screenshots, notices, or policies you received (avoid including more PHI than necessary).
• Relevant internal documents if you are an employee or contractor (for instance, applicable Business Associate Agreements or privacy policies, if available to you lawfully).
• Names or roles of individuals who were involved or who witnessed the events.

Write a factual, chronological narrative. Use objective language and include only details that help OCR understand what occurred and how it implicates Covered Entity Obligations.

Choose Submission Method

You can file your complaint using one of several methods. Select the approach that best matches your needs for speed, accessibility, and documentation.

Primary option: OCR Complaint Portal

The OCR Complaint Portal allows you to complete the HIPAA violation complaint form online, upload supporting files, and provide a digital signature. It is typically the fastest way to submit and receive a tracking number.

Alternative options

• Mail or fax: You can print and send a paper form with attachments.
• Email: You may submit a completed form and scanned evidence to OCR, if permitted by instructions on the form.
• Accessibility and language: Assistance is available if you need accommodations or interpreter services.

Keep a copy of everything you submit, including your narrative and evidence list. If you mail or fax, consider using a method that provides delivery confirmation.

Sign and Date Complaint

OCR requires a signed, dated complaint to proceed. If you use the OCR Complaint Portal, you will provide an electronic signature by affirming that your statements are true. For mail, fax, or email, sign and date the form; if you are a representative, include documentation showing your authority to act for the individual.

Review your information for accuracy before signing. Your signature certifies that the facts are correct to the best of your knowledge and that you understand OCR may contact you for more information.

Submit Within 180 Days

File your complaint within 180 days from the date you knew or reasonably should have known of the alleged violation. Submitting promptly preserves your rights and helps OCR obtain timely evidence from the entity.

If you miss the 180-day window, explain any circumstances that prevented timely filing. OCR may accept late complaints for good cause, but you should not rely on an extension—submit as soon as possible.

Await Confirmation from OCR

After submission, you should receive confirmation—often a letter or email with a case or transaction number. Keep this for your records. OCR may request additional details or documents; respond by the deadline provided to avoid delays or closure.

Update OCR if your contact information changes. If you submitted by mail or fax, confirmation may take longer than online filing through the OCR Complaint Portal.

Understand OCR Investigation Process

OCR screens each complaint to verify jurisdiction and whether the allegations, if true, would violate the HIPAA Privacy Rule, Security Rule, or Breach Notification Requirements. If OCR lacks jurisdiction or the facts do not suggest a violation, the matter may be closed with an explanation or technical assistance.

If OCR opens an investigation, it typically requests information from the entity, such as policies, training records, access logs, risk analyses, and Business Associate Agreements. OCR may interview personnel, review safeguards for Security Rule Compliance, and assess the entity’s response to any alleged breach.

In some cases, OCR may refer potential criminal matters to the Department of Justice. Throughout the process, OCR can facilitate corrective steps, including improved policies, staff training, access fulfillment, or enhanced security measures.

Receive Investigation Resolution

Outcomes vary based on the facts. OCR may close the case with no violation found, provide technical assistance to the entity, or obtain voluntary compliance and corrective action. In more significant cases, OCR may require a resolution agreement and a corrective action plan with monitoring and reporting.

If negotiations fail or violations are serious, OCR can impose Civil Money Penalties. Resolutions often focus on practical remedies—for example, providing access to records, revising notices and policies, retraining staff, hardening security controls, and documenting compliance with Covered Entity Obligations.

Conclusion

To use the HIPAA Violation Complaint Form effectively, confirm eligibility, assemble clear evidence, choose your submission method (preferably the OCR Complaint Portal), sign and date, and file within 180 days. Prompt, complete, and factual submissions give OCR what it needs to evaluate your concerns and drive meaningful compliance outcomes.

FAQs

What information is required to file a HIPAA complaint?

You will need your contact details; the name and contact information of the covered entity or business associate; the date(s) and description of what happened; which HIPAA Privacy Rule, Security Rule, or Breach Notification Requirements may have been violated; your consent preference for disclosing your identity; and any supporting documents or evidence.

How long do I have to submit a HIPAA violation complaint?

You generally have 180 days from when you knew or should have known about the alleged violation. If you are late, explain any good cause for the delay, but file as soon as possible to preserve your options.

Can I submit a HIPAA complaint online?

Yes. You can file through the OCR Complaint Portal, which enables online completion, document uploads, and electronic signature. Mail, fax, and email options are also available if you prefer or need accommodations.

What happens after the OCR receives my HIPAA complaint?

OCR acknowledges receipt and screens the complaint for jurisdiction and potential violations. If it proceeds, OCR requests information from the entity, evaluates policies and safeguards, and may seek corrective actions. The matter can conclude with technical assistance, voluntary compliance, a corrective action plan, or—when warranted—Civil Money Penalties.