HIPAA Violation Complaint Process: How to File, Where to Report, and What Happens Next

Filing Methods for HIPAA Complaints

You report HIPAA privacy or security concerns to the U.S. Department of Health and Human Services Office for Civil Rights. OCR is the federal agency that receives, reviews, and investigates complaints under the HIPAA Privacy, Security, and Breach Notification Rules.

Primary ways to file

• Online: Submit the Health Information Privacy Complaint Form through OCR’s secure portal. You can upload documents and provide a digital signature.
• Mail or fax: Send a written complaint to OCR with all required details and a signature. If you are unsure which regional office applies, OCR will route it for you.
• Accommodations: If you need assistance or language access, you can request help so your complaint can be received in an accessible format.

What happens right after you file

OCR’s Centralized Case Management Operations assigns a case number, acknowledges receipt, and forwards the matter to the appropriate regional team for initial review. Keep your case number and any confirmation messages for reference.

Necessary Complaint Information

Complete, specific information speeds OCR’s review. Provide enough detail for investigators to understand who was involved, what happened, and when.

Core details to include

• Your name, mailing address, phone, and email so OCR can contact you.
• The name of the organization you believe violated HIPAA (covered entity or business associate) and any key individuals or departments involved.
• A clear description of the incident: what occurred, how protected health information (PHI) was used or disclosed, and why you believe it violates HIPAA.
• Relevant dates or timeframe, including when you learned of the issue.
• Any steps you took to resolve the issue directly and any responses received.
• Supporting documents (e.g., letters, screenshots, policies) that substantiate your account.
• Your signature (handwritten or electronic) attesting that the information is accurate. If filing on someone’s behalf, include proof of authority as a personal representative.

Filing Deadlines and Extensions

In most cases, you must file within 180 days of when you knew (or should have known) about the alleged violation. Filing promptly improves OCR’s ability to obtain records and witness accounts.

Good-cause extensions

OCR may extend the 180-day deadline if you show good cause. Examples include serious illness, natural disasters, inability to obtain essential records in time, or other circumstances outside your control. Explain the reasons for any delay in your submission and include supporting documentation when possible.

OCR Complaint Review Procedures

After intake, OCR conducts an initial assessment to decide how to proceed. This includes a Jurisdiction Determination and evaluation of the facts you provided.

Jurisdiction Determination

• Entity status: Whether the respondent is a HIPAA covered entity (like a health plan, health care provider, or clearinghouse) or a business associate.
• Subject matter: Whether the issue involves PHI and a requirement under the HIPAA Privacy, Security, or Breach Notification Rules.
• Timeliness: Whether the complaint meets the filing deadline or qualifies for a good-cause extension.

Investigation pathway

• Information requests: OCR may contact you and the respondent for records, policies, risk analyses, and other evidence.
• Interviews and site visits: When needed, OCR interviews personnel and may conduct onsite reviews.
• Early resolution or technical assistance: For certain issues, OCR may resolve the matter quickly through voluntary steps by the entity, education, or informal agreements.

Outcomes and Enforcement Actions

OCR aims to protect individuals’ health information and bring entities into compliance. Outcomes depend on the facts, cooperation, and seriousness of the issue.

Common resolution tools

• Voluntary Compliance: The entity agrees to fix issues promptly, often with documented proof of completion.
• Corrective Action Plan: A detailed, time-bound plan requiring policy updates, staff training, risk analysis, monitoring, and periodic reporting to OCR.
• Resolution Agreement: A formal settlement memorializing commitments and, in some cases, monetary payments.
• Civil Money Penalties: Assessed when violations warrant financial enforcement, especially where willful neglect or failure to correct is found.
• Referral to the Department of Justice: For potential criminal violations involving knowing misuse or disclosure of PHI.
• No violation found/insufficient evidence: OCR closes the matter if the evidence does not support a HIPAA violation.

Communication of Investigation Results

OCR keeps you informed at key stages and will request clarification or documents if needed. You will receive written notice when OCR closes the case, including the outcome and, when appropriate, a summary of the corrective steps required.

What you can expect to receive

• Acknowledgment of your complaint and your case number from Centralized Case Management Operations.
• Requests for additional information if OCR needs more details to proceed.
• A closure or resolution letter explaining OCR’s findings, any Voluntary Compliance commitments, the terms of a Corrective Action Plan or Resolution Agreement, or whether Civil Money Penalties were imposed.

Key takeaways

• File with the U.S. Department of Health and Human Services Office for Civil Rights using the Health Information Privacy Complaint Form or by mail/fax.
• Include precise facts, dates, and supporting documents to aid OCR’s Jurisdiction Determination and investigation.
• Mind the 180-day deadline; request a good-cause extension if needed.
• Outcomes range from education and Voluntary Compliance to a Corrective Action Plan, Resolution Agreement, or Civil Money Penalties.

FAQs.

What is the timeframe to file a HIPAA violation complaint?

Generally, you must file within 180 days from the date you knew or should have known of the alleged violation. OCR may grant an extension when you demonstrate good cause for filing late.

How do I submit a HIPAA complaint online?

Use the Health Information Privacy Complaint Form provided by the U.S. Department of Health and Human Services Office for Civil Rights. Complete all required fields, e-sign the form, attach any supporting documents, and submit. Centralized Case Management Operations will issue a case number and route your complaint for review.

What information is required in a HIPAA complaint?

Provide your contact information, the name of the covered entity or business associate, a detailed description of what happened, relevant dates, and supporting documents. Include your signature, and if filing for someone else, proof that you are authorized to act for that person.

What actions can OCR take after investigating a complaint?

Depending on the facts, OCR may secure Voluntary Compliance, require a Corrective Action Plan or Resolution Agreement, assess Civil Money Penalties, refer potential criminal matters to the Department of Justice, provide technical assistance, or close the case if no violation is found.