HIPAA Violation Reporting: Who to Contact, Documentation, and Timelines

When a privacy or security incident involves protected health information, acting quickly and in the right order protects individuals and limits organizational risk. This guide explains exactly who to contact, what to document, and the timelines that apply to HIPAA violation reporting under the breach notification rule.

Reporting HIPAA Violations to OCR

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) is the federal agency that enforces HIPAA. You can submit complaints directly to OCR if you believe a covered entity or business associate violated the Privacy, Security, or Breach Notification Rules.

How to report

• Use the HIPAA complaint portal to file online, or submit by mail, fax, or email using OCR’s complaint form.
• File within 180 days of when you knew, or should reasonably have known, about the violation (OCR may extend for good cause).
• Provide the entity’s name and contact details, dates of the incident, what happened, and why you believe HIPAA was violated.

What to include

• A clear description of the incident (who, what, when, where).
• Any steps the entity took after the incident and your communications with them.
• Supporting evidence such as letters, emails, screenshots, or audit trails.

You may request confidentiality of your identity. Providing accurate contact information helps OCR gather facts and keep you informed.

Reporting to Covered Entities

Before or in parallel with an OCR complaint, report concerns to the organization involved. Internal covered entity reporting often triggers fast remediation and preserves evidence.

Who to contact

• The HIPAA compliance officer or privacy officer listed in the provider’s Notice of Privacy Practices.
• Your supervisor or HR if you are a workforce member.
• The security officer for suspected technical or cybersecurity issues.

What to submit

• Incident summary: date discovered, systems affected, types of PHI, number of individuals potentially impacted.
• Actions taken: containment, mitigation, and any immediate corrective steps.
• Requested next steps: investigation, patient notification, and additional safeguards.

Business associates must notify the covered entity without unreasonable delay and provide identities of affected individuals when known. Keep copies of your report for your records.

Documentation Requirements for Complaints

Strong privacy incidents documentation speeds investigations and supports defensible decisions. Capture details contemporaneously and store them in a controlled repository.

Core elements to document

• Discovery details: date/time discovered, reporter, and how the issue was found.
• Incident facts: systems, locations, workforce members involved, and the categories of PHI (e.g., names, diagnoses, SSNs).
• Risk assessment: whether PHI was actually acquired, viewed, or exfiltrated; unauthorized person; whether PHI was de-identified or encrypted; mitigation performed.
• Containment and mitigation: access revocation, device retrieval, password resets, phishing takedowns, or patient reassurance calls.
• Notification decisions: rationale for breach/not-a-breach determinations under the breach notification rule, content of notices, and dates sent.
• Remediation: policy changes, training, sanctions, technical safeguards, and follow-up validation.

Retention and integrity

• Retain HIPAA-related complaints, risk assessments, decisions, and notices for at least six years.
• Maintain version control, audit logs, and access limitations to protect the integrity of the record.

Breach Notification to HHS

Separate from an individual’s complaint to OCR, covered entities and business associates have affirmative duties to report certain breaches to HHS under the breach notification rule.

When and how to notify HHS

• 500 or more individuals affected: notify HHS without unreasonable delay and no later than 60 calendar days after discovery via the HHS breach portal.
• Fewer than 500 individuals: log the breach and report it to HHS no later than 60 days after the end of the calendar year in which it was discovered.

Content of the HHS report

• Brief description of the incident and date of discovery.
• Categories of PHI and the approximate number of individuals affected.
• Steps taken to mitigate harm and prevent future occurrences.
• Contact methods for individuals to obtain additional information.

Media Notification Obligations

If a breach involves more than 500 residents of a single state or jurisdiction, the covered entity must provide notice to prominent media outlets serving that area without unreasonable delay and no later than 60 calendar days after discovery.

• Media notice should describe what happened, the types of information involved, steps taken, and guidance for affected individuals.
• Media notice supplements, and does not replace, direct notice to each affected individual when contact information is available.
• Avoid including sensitive details that could further expose PHI.

Timeliness of Reporting

HIPAA sets specific timeframes to ensure prompt action. When in doubt, act earlier and document your rationale.

• Individual notification: without unreasonable delay and no later than 60 calendar days after breach discovery.
• HHS notification: within 60 calendar days of discovery for breaches affecting 500+ individuals; by 60 days after the end of the calendar year for fewer than 500.
• Media notification: within 60 calendar days of discovery for breaches affecting more than 500 residents of a state or jurisdiction.
• Business associate to covered entity reporting: without unreasonable delay, and no later than 60 calendar days after discovery, including identities of affected individuals when known.
• Complaints to OCR: generally within 180 days of when you knew or should have known of the violation.

Complaint Processing and Investigation

Once a complaint reaches OCR, HIPAA investigation procedures begin with intake and triage. OCR confirms jurisdiction, assesses timeliness, and determines whether the allegations, if true, would violate HIPAA.

Typical investigation steps

• Data request: OCR seeks policies, risk analyses, training records, incident reports, and logs.
• Interviews and correspondence: OCR may interview workforce members and request clarifications or additional documentation.
• Findings and resolution: outcomes can include technical assistance, voluntary compliance, corrective action plans, resolution agreements, or civil money penalties.
• Monitoring: for significant findings, OCR may require multi‑year monitoring and progress reporting.

What you can do

• Respond completely and on time to OCR requests; keep all privacy incidents documentation organized and accessible.
• Demonstrate risk-based decisions, workforce training, and consistent enforcement of policies.
• Track and close corrective actions, then validate effectiveness.

Key takeaways

• Report concerns to the covered entity’s HIPAA compliance officer promptly, and to OCR via the HIPAA complaint portal when appropriate.
• Document every step—facts, risk assessment, notifications, and remediation—and retain records for at least six years.
• Meet strict timelines: 60 days for breach notifications and 180 days to file OCR complaints, with additional media and HHS reporting when thresholds are met.

FAQs

How do I file a HIPAA violation complaint?

You can file with the Office for Civil Rights through the HIPAA complaint portal or by sending OCR’s complaint form via mail, fax, or email. Include the entity’s name, dates, what happened, why you believe HIPAA was violated, and any supporting evidence. File within 180 days of learning about the issue, and keep copies of everything you submit.

Who is responsible for handling HIPAA violations at a healthcare provider?

The provider’s HIPAA compliance officer—often titled privacy officer or security officer—coordinates investigations, risk assessments, notifications, and remediation. Workforce members typically report incidents to this officer or through internal compliance hotlines, with escalation to leadership and legal as needed.

What are the deadlines for reporting a HIPAA breach?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For breaches affecting 500 or more individuals, notify HHS within 60 days of discovery and the media if more than 500 residents of a state or jurisdiction are involved. For fewer than 500 individuals, report to HHS no later than 60 days after the end of the calendar year.

Can HIPAA complaints be filed anonymously?

You can raise concerns without disclosing your identity, but providing your contact information helps OCR investigate and communicate with you. Many organizations also offer anonymous internal hotlines. If you request confidentiality, OCR strives to protect your identity to the extent permissible by law.