HIPAA Violation Complaints: What Happens After You File? Timelines, Investigations, and Outcomes

Filing a HIPAA Complaint

If you believe your protected health information (PHI) was mishandled, you can file a complaint with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). Anyone may file—patients, caregivers, workforce members, or representatives—so long as the allegations involve a HIPAA covered entity or business associate.

You generally must file within 180 days of when you knew, or should have known, about the issue. OCR may extend this window for good cause, so explain any delays clearly when you submit.

What to include

• The name of the organization(s) and people involved, and how to contact them.
• Dates, locations, and a concise description of what happened.
• Why you believe HIPAA was violated (e.g., improper disclosure, lack of safeguards, late breach notice).
• Any documents or messages that support your description.

OCR protects your identity to the extent the law allows, but it may need to share information to investigate. If your complaint concerns employment records, schools covered by FERPA, life insurers, or apps outside HIPAA, it may fall outside Office for Civil Rights Jurisdiction and be closed or referred.

Initial Review Process

After you file, OCR performs an intake and triage. It confirms timeliness, verifies OCR jurisdiction, and checks whether the facts—if true—would violate the Privacy Rule, Security Rule, or Breach Notification Requirements.

Screening outcomes

• Acceptance for investigation: OCR opens a case and notifies the organization.
• Early Complaint Resolution (ECR): OCR may facilitate a quick, informal resolution between you and the organization.
• Technical assistance: OCR may educate the organization and close the matter when the risk is minor and promptly corrected.
• Closure or referral: If untimely, outside jurisdiction, or not a HIPAA issue, OCR closes the complaint or refers it to another agency.

OCR typically acknowledges your submission and may request clarification or authorization to use your protected health information (PHI) during the process. The duration of this stage varies with caseload and the clarity of your facts.

Investigation Process

When OCR opens a case, it informs the organization of the allegations and requests records. Investigative Procedures can include interviews, written data requests, and, when needed, site visits.

What OCR examines

• Privacy Rule compliance: Uses and disclosures of PHI, “minimum necessary,” notices of privacy practices, and the right of access.
• Security Rule enforcement: Risk analysis and risk management, access controls, audit logs, encryption, workforce training, and vendor oversight.
• Breach Notification Requirements: Whether individuals, HHS, and (when applicable) the media were notified without unreasonable delay and no later than 60 days, and whether content and documentation were sufficient.

Evidence OCR may request

• Policies, risk analyses, incident reports, logs, and sanctions records.
• Business associate agreements and service provider contracts.
• Training materials and proof of workforce completion.
• Remediation plans and timelines already undertaken.

Organizations usually get a set period to respond. OCR analyzes submissions, may pose follow-up questions, and can attempt ECR at any time if a voluntary solution looks feasible. Complex investigations can take months or longer, especially if many individuals are affected or multiple entities are involved.

Resolution Outcomes

OCR sends a written outcome once fact-finding is complete. Possible results depend on the evidence, the organization’s cooperation, and the scope of harm.

• No violation found: OCR closes the case when evidence does not substantiate a HIPAA violation.
• Technical assistance or voluntary compliance: The organization remedies issues promptly, and OCR closes the case.
• Corrective Action Plan (CAP): A formal, enforceable plan requiring specific steps—policy updates, training, risk analysis, and periodic reports—often monitored for 1–3 years.
• Resolution agreement and Civil Money Penalties: For serious, persistent, or uncorrected violations, OCR may impose tiered Civil Money Penalties. Penalty ranges depend on factors like culpability, harm, and mitigation, and amounts are adjusted periodically for inflation.
• Criminal referral: If facts suggest knowing misuse or sale of PHI, OCR may refer the matter to the Department of Justice. DOJ decides whether to pursue criminal charges.

HIPAA does not provide individual monetary damages through OCR’s process. Penalties, if any, are paid to the U.S. Treasury, though separate rights may exist under other laws.

Complainant Notification

You will receive written notice—by mail or email—acknowledging your complaint and, later, a closure or resolution letter. OCR describes the issues reviewed, applicable HIPAA provisions, and the result (for example, ECR, technical assistance, a CAP, penalties, or referral).

Because OCR must protect patient and workforce privacy, the letter may not include sensitive details gathered from the organization. If OCR needs more information from you, it will request it during the case. Keep your contact information current so you don’t miss updates.

Conclusion

Filing a HIPAA complaint triggers a structured process: intake, screening, evidence gathering, and a resolution that can range from education to a Corrective Action Plan or Civil Money Penalties. Provide clear facts and timely documentation, and expect the timeline to vary with case complexity and the level of cooperation.

FAQs.

How long do I have to file a HIPAA violation complaint?

Generally, you must file within 180 days of when you knew, or reasonably should have known, about the potential violation. OCR can extend this deadline for good cause, so explain any circumstances that prevented earlier filing.

What steps does the OCR take after receiving a complaint?

OCR acknowledges your complaint, screens it for jurisdiction and timeliness, and decides whether to open an investigation or attempt Early Complaint Resolution. If opened, OCR requests records, interviews witnesses, and evaluates Privacy Rule compliance, Security Rule enforcement, and Breach Notification Requirements before issuing a written outcome.

Can a HIPAA violation complaint result in criminal charges?

Yes. While OCR handles civil enforcement, it may refer cases with potential criminal conduct—such as knowingly obtaining or disclosing PHI for personal gain—to the Department of Justice. DOJ determines whether to prosecute.

How will I be notified of the investigation outcome?

OCR sends a closure or resolution letter by mail or email summarizing the allegations reviewed and the result, such as no violation, technical assistance, a Corrective Action Plan, Civil Money Penalties, or a referral. Details may be limited to protect privacy, but the letter explains the disposition.