HIPAA Violations Reporting Explained: Which Agency Handles Complaints and Breaches?

Reporting HIPAA Violations to OCR

If you suspect a HIPAA violation, the federal agency that handles complaints and breach oversight is the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). OCR enforces the HIPAA Privacy, Security, and Breach Notification Rule across healthcare providers, health plans, clearinghouses, and their vendors.

OCR investigates alleged noncompliance involving Protected Health Information (PHI), including impermissible uses or disclosures, inadequate safeguards, improper denial of access, and failures to send required breach notices. Anyone can report concerns—patients, workforce members, Business Associates, or the public.

Complaints to OCR are separate from breach notifications. Complaints allege violations by Covered Entities or Business Associates, while breach notifications are specific legal notices entities must send after a qualifying incident.

Internal Reporting Procedures

Before or alongside contacting OCR, use your organization’s internal reporting channels. Early escalation helps contain risk, preserve evidence, and ensure timely decisions about breach notification and remediation.

• Notify your designated privacy or security officer immediately and follow your incident response plan.
• Document what happened, when, who was involved, systems affected, and the PHI types at issue.
• Secure accounts, devices, and records to stop further disclosure and begin mitigation.
• If you are a Business Associate, alert the Covered Entity as required by your Business Associate Agreement.
• Retain emails, logs, screenshots, and audit trails; they are crucial for risk assessments and potential OCR inquiries.

Internal reports should trigger a risk assessment, workforce interviews, and corrective steps such as access changes, training refreshers, and policy updates. Non‑retaliation protections should be communicated so employees feel safe reporting concerns.

Filing Complaints with OCR

What to prepare

• Your contact information and preferred method of communication.
• The name of the Covered Entity or Business Associate, dates, locations, and a clear description of the issue.
• Evidence, if available (e.g., letters, portal screenshots, audit messages).
• Authorization or representation details if you file on someone else’s behalf.

How to submit

You can submit a complaint to OCR electronically or in writing. File as soon as possible; complaints generally must be submitted within 180 days of when you knew of the alleged violation, though OCR may extend this for good cause. Keep copies of everything you send.

What happens next

OCR screens your complaint for jurisdiction and sufficiency, may seek more details, and can open an investigation or provide technical assistance. Outcomes range from voluntary compliance and Corrective Action Plans to Civil Monetary Penalties when warranted. You will be informed when the matter is resolved.

Reporting Timeframe and Deadlines

• OCR complaints: Generally due within 180 days from when you became aware of the issue; extensions may be granted for good cause.
• To affected individuals: Under the Breach Notification Rule, notify “without unreasonable delay” and no later than 60 calendar days after discovery of a breach.
• Business Associate to Covered Entity: Notify without unreasonable delay and no later than 60 days after discovery, or sooner if your agreement requires it.
• To HHS/OCR: For breaches affecting 500 or more individuals, notify within 60 days of discovery; for fewer than 500, log and submit to HHS no later than 60 days after the end of the calendar year in which the breach was discovered.
• To the media: If 500 or more residents of a single state or jurisdiction are affected, provide media notice without unreasonable delay and within 60 days.

Breach Notification Requirements

Who must notify

• Covered Entities must notify affected individuals and, when applicable, HHS and the media.
• Business Associates must notify the Covered Entity, which then handles required external notifications unless the agreement says otherwise.

Risk assessment and when notice is required

After any impermissible use or disclosure of PHI, conduct a four‑factor risk assessment to determine if there is a low probability that PHI has been compromised. If not low, treat the incident as a breach and follow the Breach Notification Rule.

What the notice must include

• A brief description of what happened and the discovery date.
• The types of PHI involved (for example, names, diagnoses, Social Security numbers).
• Steps individuals should take to protect themselves.
• What the organization is doing to investigate, mitigate harm, and prevent a recurrence.
• Contact methods for questions (toll‑free number, email, or postal address).

Form of notice

Provide written notice by first‑class mail or by email if the individual has agreed to electronic notice. If contact information is insufficient or out of date for 10 or more individuals, use a substitute notice such as a website posting or media notice, and include a toll‑free number.

Enforcement Actions and Penalties

OCR tailors enforcement to the facts. Many cases close with technical assistance or voluntary compliance. When systemic or serious noncompliance is found, OCR may enter a Resolution Agreement requiring a multi‑year Corrective Action Plan with reporting and monitoring.

Civil Monetary Penalties can be imposed based on factors such as the nature and duration of the violation, the number of individuals affected, the level of culpability (from lack of knowledge to willful neglect), prior history, harm caused, and the entity’s financial condition. Persistent or uncorrected issues, especially after notice, significantly increase risk.

OCR may also initiate compliance reviews, refer matters for criminal investigation where applicable, and publicize enforcement actions to encourage industry‑wide compliance.

Role of State Health Departments

HIPAA is a federal law enforced by OCR, but state health departments can play an important complementary role. They may accept complaints about state privacy laws, oversee public health program practices, and coordinate with OCR when incidents cross federal and state requirements.

Many states have their own breach notification statutes—often with shorter timelines or broader definitions than HIPAA. You must follow whichever rule is more protective of individuals. Check whether your incident triggers both HIPAA and state obligations, and align your notices, content, and timing accordingly.

In short, escalate internally, assess quickly, and notify promptly. OCR leads HIPAA enforcement, while state authorities may add parallel duties. Treat every incident as an opportunity to strengthen safeguards and reduce future risk.

FAQs

How do I file a HIPAA violation complaint?

Gather facts about what happened, when it happened, and who was involved; include any documents or screenshots. Submit your complaint to the Office for Civil Rights electronically or in writing. File within 180 days of when you learned of the issue, or explain good cause for any delay. Keep a copy of your submission and any OCR correspondence.

What is the role of the Office for Civil Rights in HIPAA enforcement?

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rule. It reviews complaints, conducts investigations and compliance reviews, and resolves cases through technical assistance, voluntary compliance, Corrective Action Plans, Resolution Agreements, and, when appropriate, Civil Monetary Penalties.

When must a breach be reported to the media?

If a breach involves 500 or more residents of a single state or jurisdiction, the Covered Entity must notify prominent media outlets serving that area without unreasonable delay and no later than 60 days after discovery, in addition to notifying affected individuals and HHS.