HIPAA Violation Complaint: How to Report It and What to Expect

If you believe your protected health information (PHI) was mishandled or your rights under the HIPAA Privacy Rule were denied, you can submit a HIPAA violation complaint to the Office for Civil Rights. This guide explains how to file, what to include, how OCR evaluates complaints, possible enforcement outcomes, your protections against retaliation, and key timelines.

Filing a HIPAA Violation Complaint

You can file a HIPAA violation complaint if you are the affected individual, a personal representative, or someone with knowledge of potential noncompliance. Complaints may be filed against a Covered Entity (such as a health plan, healthcare provider, or clearinghouse) or a Business Associate that handles PHI on a covered entity’s behalf.

Complaint Jurisdiction

OCR can act only when the complaint involves PHI and alleges a violation by a Covered Entity or Business Associate under the HIPAA Privacy Rule or related HIPAA rules. Issues outside HIPAA—such as purely employment records or non‑covered consumer apps—generally fall outside OCR’s complaint jurisdiction.

How to file

• Submit online, by mail, or by email to the Office for Civil Rights. You may request language or disability accommodations when filing.
• Identify the organization and the specific event(s). If multiple organizations are involved, note each one.
• File promptly. If possible, contact the organization’s privacy office, but you do not need to do so before filing with OCR.

Before you file

• Confirm the entity is a Covered Entity or Business Associate and that HIPAA applies to the data at issue.
• Note the date you learned of the incident; this affects filing deadlines.
• Collect documents that support your account, such as letters denying access, notices, or screenshots.

Required Information for Complaints

Providing clear, specific details helps OCR assess your allegations and speeds review. Include:

• Your name and contact information, or indicate if you wish to remain anonymous where permitted.
• Name and contact details of the Covered Entity or Business Associate you are complaining about.
• Dates and locations of the incident(s) and when you became aware of them.
• A concise description of what happened, referencing the right or safeguard involved under the HIPAA Privacy Rule (for example, denial of access, impermissible disclosure, or lack of safeguards).
• Types of PHI involved and how it was used or disclosed.
• Any steps you took to resolve the issue and the responses you received.
• Names of witnesses or staff involved, if known.
• Copies of relevant documents (letters, emails, policies, screenshots), with sensitive details redacted if needed.
• Whether you filed with another agency or board about the same matter.
• An explanation if the complaint is filed more than 180 days after you learned of the incident.

Tips for clarity

• Organize facts in chronological order and avoid speculation.
• State the outcome you seek (for example, access to records, correction, or stronger safeguards).
• Keep your contact information current so OCR can reach you for follow‑up.

OCR Complaint Review Process

After you submit your complaint, OCR acknowledges receipt and performs an initial screening. The screening checks complaint jurisdiction, timeliness, and whether the allegations—if true—would violate the HIPAA Privacy Rule or related standards.

Possible early outcomes

• Closure for no jurisdiction or insufficient facts: OCR explains why the complaint cannot proceed.
• Technical assistance: OCR may educate the entity and/or you on compliance requirements and close the matter.
• Referral: If another authority is more appropriate, OCR may refer or suggest you contact that authority.
• Opening an investigation: If the complaint passes screening, OCR requests information from the entity and begins fact‑finding.

OCR may contact you for clarification, additional documents, or consent to share your identity with the entity if needed for effective review.

Investigation and Enforcement Procedures

When OCR investigates, it may request policies, logs, risk analyses, training records, and breach reports; interview staff; and assess the scope and impact of the incident. OCR evaluates whether safeguards and processes met HIPAA requirements and whether the entity responded appropriately.

Resolution paths

• Voluntary compliance or corrective action: The entity fixes issues and OCR closes the case.
• Resolution Agreement and Corrective Action Plan (CAP): A formal settlement requiring specific steps, reporting, and monitoring for a defined period.
• Civil Money Penalties: If warranted, OCR may impose penalties scaled by the level of culpability and other factors, such as the nature and extent of the violation and harm.
• Referral for criminal enforcement: If potential criminal conduct is identified, OCR may refer the matter to the Department of Justice.
• No violation found: OCR explains its determination and closes the complaint.

Covered Entity and Business Associate responsibility

Both Covered Entities and Business Associates can be directly liable for HIPAA violations. OCR considers contracts, roles, and who controlled the relevant activity when determining responsibility and remedies.

Rights Against Retaliation

The HIPAA Privacy Rule includes a Retaliation Prohibition. Covered Entities and Business Associates may not intimidate, threaten, coerce, or discriminate against you or a workforce member for filing a complaint with the Office for Civil Rights, participating in an investigation, or asserting HIPAA rights.

If retaliation occurs

• Document what happened, when, and who was involved, and keep related communications.
• Report the retaliation to OCR as part of your complaint or in a new submission.
• If you are an employee, consider internal reporting channels in addition to filing with OCR.

Timelines and Deadlines for Complaints

In general, you must file within 180 days of when you knew or should have known about the alleged violation. OCR may extend this deadline if you show good cause, such as serious illness, misrepresentation by the entity, or other circumstances beyond your control.

OCR’s acknowledgment typically arrives within weeks, and investigative timeframes vary based on complexity, cooperation, and any required corrective actions. Multi‑party incidents, systemic issues, or enforcement actions can take longer to resolve.

Conclusion

To move your HIPAA Violation Complaint forward effectively, confirm complaint jurisdiction, provide precise facts, meet the 180‑day deadline, and respond promptly to OCR requests. Understanding the review stages, enforcement tools—including Civil Money Penalties—and your strong protections against retaliation helps you set realistic expectations and protect your privacy rights.

FAQs.

How do I file a HIPAA violation complaint?

Submit your complaint to the Office for Civil Rights online, by mail, or by email. Identify the Covered Entity or Business Associate, describe what happened, include dates, and explain how the HIPAA Privacy Rule may have been violated. File as soon as possible and keep copies of everything you submit.

What information is required in a HIPAA complaint?

Provide your contact information, the organization’s name, dates, a clear description of the incident, what PHI was involved, supporting documents, and names of witnesses if available. If you are past 180 days, explain the reason so OCR can consider good‑cause extension.

What happens after a complaint is filed?

OCR screens for complaint jurisdiction and timeliness, may offer technical assistance, or opens an investigation. If it investigates, OCR gathers records, interviews staff, analyzes compliance, and resolves the case through corrective action, a Resolution Agreement with a CAP, Civil Money Penalties, referral, or closure with no violation.

Can I be retaliated against for filing a HIPAA complaint?

No. The HIPAA Privacy Rule’s Retaliation Prohibition bars Covered Entities and Business Associates from retaliating against you for reporting concerns or participating in an OCR investigation. Document any retaliatory behavior and report it to OCR.