How to file a HIPAA Complaint

If you believe your health information privacy rights have been violated, you have the right to take action. Filing an OCR complaint is the official way to report a potential HIPAA violation by a covered entity or business associate. The process is designed to protect your privacy, ensure accountability, and prompt corrective measures when healthcare organizations fall short of their obligations.

Understanding how to file a HIPAA complaint is crucial if you want your concerns heard and addressed. Whether you've experienced unauthorized disclosure of your medical records, witnessed improper handling of sensitive data, or faced retaliation for raising concerns, knowing the right steps empowers you to make a difference. The Office for Civil Rights (OCR) provides a streamlined complaint portal and clear guidelines to help you every step of the way.

Timing matters: there's a 180-day deadline for filing a complaint after discovering a violation. Acting quickly and providing detailed information increases the likelihood of a thorough investigation and, if necessary, a resolution agreement that protects your rights and improves compliance across the healthcare system.

In this guide, we'll walk you through eligibility, what constitutes a HIPAA violation, how to submit your complaint, what information to include, protections against retaliation, the OCR investigation process, and practical tips to strengthen your case. Your voice matters—let's make sure it's heard.

Who can file and eligibility

Anyone whose health information privacy rights may have been violated can file an OCR complaint. This includes patients, their legal representatives, or anyone acting on behalf of someone whose rights they believe were compromised. If you feel your protected health information was mishandled by a covered entity (such as a hospital, clinic, or insurance provider) or a business associate (a vendor with access to health data), you are eligible to submit a complaint.

Eligibility requirements are straightforward, but there are a few essentials to keep in mind:

• You must submit your complaint within the 180-day deadline: The OCR requires that you file within 180 days of when you knew—or should have known—about the potential HIPAA violation. Extensions are possible, but only if you show good cause for the delay.
• The alleged violation must involve a covered entity or business associate: Only organizations or individuals subject to HIPAA’s Privacy, Security, or Breach Notification Rules can be investigated.
• You do not need to be a U.S. citizen to file a complaint: As long as your protected health information was handled by a U.S. covered entity or business associate, you’re eligible.
• You can file on your own behalf or for someone else: Parents, legal guardians, or authorized representatives may file for minors or adults who are unable to act for themselves. Just be sure to include documentation proving your authority if you’re filing for another person.

Filing an OCR complaint is not limited to patients alone. Employees of covered entities or business associates can also report concerns, especially if they encounter practices that put patient privacy at risk. Importantly, HIPAA strictly prohibits retaliation against anyone who files a complaint or cooperates with an OCR investigation. If you experience any form of retaliation, be sure to include that information in your complaint as it is itself a violation of federal law.

Whether you’re directly affected or acting on someone’s behalf, your complaint can spark an official investigation, lead to a resolution agreement, and drive improvements in how organizations handle sensitive health information. The OCR’s complaint portal makes it straightforward to begin the process—ensuring your concerns are reviewed efficiently and fairly.

What violations qualify

Not every issue involving your health information meets the threshold for an OCR complaint under HIPAA. Understanding what qualifies as a HIPAA violation helps you focus your efforts and ensures you use the complaint process effectively. Generally, a HIPAA violation occurs when a covered entity or business associate fails to comply with the Privacy, Security, or Breach Notification Rules set by the Department of Health and Human Services (HHS).

Below are common situations that qualify as potential HIPAA violations:

• Unauthorized Disclosure of Protected Health Information (PHI): If your medical information is shared without your consent or legitimate reason, such as being spoken about in public areas, faxed to the wrong number, or emailed without proper security, this can form the basis of an OCR complaint.
• Failure to Provide Access to Your Records: You have the right to access your health records. If a provider refuses, delays beyond the required timeframe, or charges unreasonable fees, this is a HIPAA violation.
• Improper Safeguarding of PHI: Covered entities and business associates must implement administrative, technical, and physical safeguards to protect your data. Leaving files unsecured, not encrypting electronic records, or failing to restrict access can all be violations.
• Disclosure Beyond the Minimum Necessary: HIPAA requires organizations to limit disclosures to the minimum necessary information. Sharing more than needed—even within an organization—can be a basis for a complaint.
• Retaliation for Exercising Your Rights: It is illegal for any covered entity or business associate to retaliate against you for filing an OCR complaint, participating in an investigation, or exercising your HIPAA rights.
• Lack of Breach Notification: When a breach of your PHI occurs, affected individuals must be notified promptly. Failing to notify you or government authorities meets the threshold for an OCR complaint.
• Inadequate Training or Policies: If staff are not properly trained on HIPAA rules or policies are not enforced, resulting in improper use or disclosure of information, this can qualify as a violation.

It's important to note that only actions by covered entities (like healthcare providers, health plans, or clearinghouses) and their business associates fall under HIPAA's jurisdiction. Complaints must be filed within the 180-day deadline from when you learned of the violation. If you're unsure whether your situation qualifies, the OCR complaint portal provides guidance and allows you to describe your concern for a determination.

Once your complaint is filed, the OCR will investigate, and if a violation is found, the entity may be required to take corrective action—potentially including a formal resolution agreement to address the issues uncovered. Remember, your action not only protects your rights but also helps build a safer healthcare environment for everyone.

How to submit

Submitting a HIPAA complaint is a straightforward process, but it’s important to follow each step carefully for the best chance of your concern being addressed. Here’s what you need to know:

1. Start with the OCR Complaint Portal

• Visit the official OCR Complaint Portal, which is the most efficient way to file your complaint online. This portal guides you through the required information and ensures your submission reaches the right department quickly.
• Be prepared to enter your contact details, the name of the covered entity or business associate involved, and a detailed description of the suspected HIPAA violation.

2. Mind the 180-Day Deadline

• You must file your complaint within 180 days of discovering the potential violation. If you miss this window, your complaint may not be accepted unless you can demonstrate “good cause” for the delay.

3. Include Essential Information

• Clearly describe what happened, when it occurred, and why you believe it violates HIPAA rules. Include as many specifics as possible—dates, locations, and the individuals or departments involved.
• If you have supporting documents (such as emails or letters), include those for a stronger case.

4. Choose How to Submit

• If you prefer not to use the online portal, you can submit your complaint by mail, email, or fax. Written complaints should be sent to the U.S. Department of Health and Human Services at the address provided by OCR.
• Make sure to sign and date your complaint. If you’re filing by email, submitting the form electronically is considered your signature.

5. Consent and Confidentiality

• During the process, you’ll be asked to complete a consent form indicating whether OCR can disclose your identity during the investigation. You may request confidentiality, and OCR will honor this whenever possible.

6. Protection from Retaliation

• HIPAA strictly prohibits retaliation by any covered entity or business associate against individuals who file a complaint. If you experience any adverse action as a result of your complaint, inform OCR immediately.

7. What Happens Next?

• Once submitted, your complaint will be reviewed. If OCR finds evidence of a violation, they may initiate a formal investigation and work toward a resolution agreement with the organization involved.

Filing an OCR complaint is a powerful way to uphold your privacy rights and help ensure healthcare organizations meet their HIPAA obligations. By following these steps, you can contribute to a safer and more accountable healthcare system for everyone.

Deadlines (180-day rule)

When filing an OCR complaint about a potential HIPAA violation, timing is critical. The Office for Civil Rights enforces a strict 180-day deadline for submitting your complaint. This means you have 180 days from the date you knew— or should have known—about the act or omission that violated your HIPAA rights to take action.

Why is the 180-day rule important? The deadline ensures that complaints are investigated while evidence and details are still fresh and relevant. Missing this window can mean losing your opportunity for an official review—unless you can demonstrate “good cause” for the delay, such as severe illness or extraordinary circumstances. However, these exceptions are rare and require solid documentation.

• Start counting from the day you discover the potential HIPAA violation. If you learn on March 1 that your protected health information was improperly shared by a covered entity or business associate, your complaint must reach the OCR by August 28.
• Act promptly, even if you’re unsure. Don’t wait to gather every detail—submit your complaint via the OCR complaint portal as soon as possible to protect your rights within the deadline.
• Documentation is key. Keep a record of when you discovered the violation and any communications you have regarding your case, as this will support your timeline if questioned during an investigation.

We understand that deciding to file a complaint can be stressful and time-sensitive. The OCR is committed to protecting you from retaliation, so you can focus on resolving the issue rather than worrying about consequences. Meeting the 180-day deadline gives the OCR a fair chance to conduct a thorough investigation and, if necessary, reach a resolution agreement with the covered entity or business associate involved.

In summary: Don’t let the 180-day deadline pass you by. Filing your OCR complaint on time is the most important step to ensure your concerns about a HIPAA violation are heard and investigated properly.

What to include

When you're ready to file a HIPAA complaint with the Office for Civil Rights (OCR), it's essential to provide all necessary details to ensure your case is reviewed promptly and effectively. A clear and complete submission helps the OCR understand the scope of the possible HIPAA violation and speeds up the investigation process.

Your OCR complaint should include the following key elements:

• Your contact information: Full name, address, telephone number, and email address (if available). This information allows OCR to reach you if they need clarification or updates during the investigation. If you wish for your identity to remain confidential, indicate this clearly in your submission.
• Details about the covered entity or business associate: Name, full address, and telephone number of the person, agency, or organization you believe committed the HIPAA violation. Identifying whether the entity is a covered entity or a business associate is crucial, as OCR can only investigate those required to comply with HIPAA rules.
• Specifics of the violation: A concise but thorough description of what happened. Include dates, locations, and the individuals involved. Clearly explain how, why, and when you believe your (or someone else’s) health information privacy rights were violated.
• Relevant supporting information: Attach any documentation, correspondence, or evidence that supports your claim. The more specifics you provide, the easier it is for OCR to assess the situation and move the investigation forward.
• Timeliness: Make sure your complaint is filed within the 180-day deadline from the date you became aware of the suspected HIPAA violation. If more time has passed, explain any good cause for the delay, as OCR may consider extensions in certain circumstances.
• Consent form: When using the complaint portal or submitting by mail or email, complete and sign the required consent form, which allows OCR to process your complaint and, if needed, communicate with involved parties while protecting your privacy rights.
• Retaliation concerns: If you suspect or experience any form of retaliation from the covered entity or business associate after filing your complaint, include these details so OCR can address them as part of your case.
• If filing on someone else’s behalf: Provide the name and contact information of the individual whose privacy rights may have been violated, and explain your relationship and authority to file for them.

By including all these elements, you help ensure your OCR complaint is actionable and comprehensive. This thorough approach increases the chances of a proper investigation, potential corrective actions, and, if necessary, a resolution agreement that protects your health information rights. Remember, the complaint portal is designed to make this process as straightforward as possible—don’t hesitate to use it to track the status of your case and communicate securely with OCR.

Retaliation protections

Retaliation protections are a fundamental part of the HIPAA complaint process. When you file an OCR complaint about a suspected HIPAA violation, you are shielded by federal law from any adverse actions by the covered entity or business associate involved. In simple terms, retaliation means any form of punishment or negative treatment you might receive as a result of reporting a violation—such as being fired, demoted, harassed, or otherwise discriminated against.

HIPAA strictly prohibits retaliation against anyone who exercises their rights under the law, including submitting a complaint, cooperating with an investigation, or participating in a resolution agreement. This protection encourages individuals to come forward without fear, knowing their rights and careers are safeguarded.

• If you suspect retaliation after filing a complaint, it's crucial to notify the Office for Civil Rights (OCR) immediately. The OCR treats reports of retaliation seriously and may launch a separate investigation into the alleged conduct.
• Retaliation can take many forms, such as threats, changes in employment status, or denial of services. Document any suspicious actions that occur after you file your complaint to support your case during the investigation process.
• Your confidentiality is respected throughout. When you use the complaint portal or submit your concern by mail, email, or fax, you can specify whether you want your identity kept confidential during the investigation. The OCR will honor this request whenever possible.
• Covered entities and business associates found guilty of retaliation may face significant consequences, including corrective action, financial penalties, and mandatory resolution agreements to address the violation and prevent future misconduct.

In summary, retaliation protections empower you to speak up about HIPAA violations without risking your job, reputation, or access to care. Trust the system in place—if you experience or even suspect retaliation after reporting a concern, reach out to the OCR and let them support you through the investigation and resolution process.

OCR investigation process

Once you submit an OCR complaint about a suspected HIPAA violation, your case moves into the investigation process—this is where real accountability begins. The Office for Civil Rights (OCR) reviews your complaint to determine if it falls within their authority, meaning it must involve a covered entity or business associate and relate to the HIPAA Privacy, Security, or Breach Notification Rules.

Here's what you can expect during the OCR investigation process:

• Initial Review: OCR reviews your complaint to ensure it includes all required information, was filed within the 180-day deadline, and describes a potential violation. If more details are needed, OCR may contact you for clarification.
• Jurisdiction Assessment: The agency confirms whether the organization you reported is a covered entity or business associate regulated by HIPAA. If not, OCR will let you know and may refer your complaint elsewhere if appropriate.
• Notification and Response: If the complaint is accepted, OCR notifies the organization involved. The covered entity or business associate then has a chance to respond, often providing documents or statements about the incident.
• Fact-Finding: OCR gathers evidence—this may include interviews, reviewing policies, and examining how health information was handled. They look for patterns or systemic issues, not just isolated incidents.
• No Retaliation Allowed: HIPAA strictly prohibits retaliation against anyone who files a complaint. If you experience any negative consequences, notify OCR immediately for additional protection.
• Resolution Pathways: After reviewing all facts, OCR decides on the best way forward. This could involve:
  • Voluntary compliance by the organization
  • Corrective action plan to fix deficiencies
  • A formal resolution agreement if significant changes are needed, often including ongoing monitoring
• Closing the Case: You will be informed of the outcome. If a violation is found, OCR may require the organization to change its practices, train staff, or take other remedial actions. In severe cases, financial penalties may apply.

Throughout the process, OCR keeps your information confidential and focuses on resolving issues without compromising your privacy or rights. The goal isn’t just punishment—it’s to ensure that healthcare organizations treat your health information with the respect and security it deserves.

By understanding the investigation process, you can approach the complaint portal confidently, knowing that your concerns will be taken seriously and handled professionally.

Tips to strengthen your complaint

Submitting a well-prepared OCR complaint can make a significant difference in how effectively your HIPAA violation concern is addressed. A detailed, organized approach helps investigators quickly identify the key issues, clarifies your experience, and provides a solid foundation for any follow-up or resolution agreement.

Here are practical tips to strengthen your complaint and improve the likelihood of a thorough investigation:

• Be Specific and Factual: Clearly describe the incident, including what happened, when, and where. Name the covered entity or business associate involved, and provide dates and times if possible. Avoid vague statements—specific details add credibility and clarity.
• Include Supporting Documentation: Attach any relevant records, emails, letters, or screenshots that support your claim. Documentation helps substantiate your account and gives the OCR more to work with during the investigation.
• Stay Within the 180-Day Deadline: File your complaint as soon as you become aware of the suspected HIPAA violation. OCR generally enforces a 180-day deadline, so acting promptly protects your rights.
• Use the Complaint Portal: Submitting your complaint via the official complaint portal streamlines the process and ensures your information is directed to the right department. The portal prompts you to provide all necessary information, reducing the chance of missing details.
• Describe Any Retaliation: If you’ve faced retaliation for raising concerns, mention this explicitly in your complaint. HIPAA protects you from retaliation, and reporting it can trigger additional oversight.
• Focus on HIPAA-Relevant Issues: Limit your complaint to activities that are potential violations of the Privacy, Security, or Breach Notification Rules. This helps OCR evaluate your claim efficiently and increases the likelihood of action.
• Keep a Copy of Your Submission: Save or print a copy of your complaint and any related correspondence. This record can be helpful if you need to follow up or reference details during the investigation process.
• Be Clear About Your Desired Outcome: If you have a specific resolution in mind—such as a correction, an apology, or policy change—state it clearly. While OCR may not guarantee your outcome, clarity helps focus the resolution agreement process.
• Provide Complete Contact Information: Accurate information ensures OCR can communicate with you about the progress of the investigation or request additional details if needed.

By following these tips, you’ll help OCR understand the scope and impact of the HIPAA violation, paving the way for a fair and timely resolution. Remember, a strong complaint not only addresses your own concerns but also contributes to better privacy practices across the healthcare industry.

Understanding how to file a HIPAA complaint is crucial if you want your concern addressed quickly and effectively. By submitting an OCR complaint within the 180-day deadline, you ensure your voice is heard and the incident is evaluated by the right authorities. Whether the issue involves a covered entity or a business associate, using the official complaint portal or submitting your information in writing puts the process in motion.

Remember, you are protected from retaliation for speaking up about a potential HIPAA violation. The OCR will thoroughly review your complaint, investigate where appropriate, and pursue a resolution agreement if necessary to remedy violations and prevent future breaches. Your willingness to report concerns helps improve the healthcare system for everyone.

If you suspect your health information privacy rights have been compromised, don’t hesitate to act. Filing an OCR complaint is straightforward, confidential, and could spark meaningful change—both for you and for countless others relying on secure, ethical handling of their health data. We’re here to remind you that protecting your privacy is your right, and taking the first step makes a difference.

FAQs

Can I file anonymously?

Filing an OCR complaint about a HIPAA violation requires you to provide your name and contact information. The Office for Civil Rights (OCR) cannot investigate complaints submitted anonymously through their complaint portal or by mail. This is because they may need to contact you for additional details during the investigation process.

If you’re concerned about privacy, you can request that your identity be kept confidential when you complete the consent form as part of your complaint submission. The OCR takes confidentiality seriously and will not disclose your identity without your permission, unless required by law.

Remember, HIPAA prohibits retaliation against anyone who files a complaint in good faith. If you experience any form of retaliation from a covered entity or business associate after filing, you should notify OCR immediately.

To ensure your complaint is considered, be sure to submit it within the 180-day deadline from the date you became aware of the potential HIPAA violation, and include all requested information via the complaint portal or in writing.

What is the filing deadline?

The filing deadline for an OCR complaint about a HIPAA violation is 180 days from the date you knew, or should have known, about the act or omission you’re reporting. This 180-day deadline is critical—if you try to file a complaint after this window, in most cases, the Office for Civil Rights (OCR) will not investigate, unless you can show “good cause” for the delay.

If you believe a covered entity or business associate has violated your HIPAA rights, it’s important to act quickly. You can submit your complaint online through the complaint portal, or by mail, fax, or email. No matter how you file, remember that the clock starts ticking as soon as you are aware of the violation.

In addition, retaliation for filing a complaint is strictly prohibited under HIPAA, so you can report concerns without fear. After you file, OCR will review your complaint and may start an investigation, potentially leading to a resolution agreement if violations are confirmed. Don’t let the 180-day deadline slip by—take action to protect your health information privacy.

Will I be informed of the outcome?

Yes, you will be informed of the outcome after you file an OCR complaint about a potential HIPAA violation. Once the Office for Civil Rights (OCR) completes its investigation, you will receive written notice regarding the results. This communication will let you know whether the OCR found any evidence that a covered entity or business associate violated HIPAA rules, and what actions—if any—will be taken as a result.

The OCR typically explains the steps they took during the investigation, including whether the issue was resolved informally, required a resolution agreement, or if no violation was found. If the OCR issues a resolution agreement or corrective action plan, you’ll be notified of these outcomes as well. Transparency is a key part of the process, and you have the right to know how your complaint was handled.

If you experience retaliation for filing a complaint, you should immediately inform the OCR, as HIPAA prohibits any retaliatory actions. Throughout the process, you can check the status of your complaint by contacting the OCR directly or through the complaint portal where you originally filed. Rest assured, the OCR is committed to keeping you updated every step of the way.

Can I withdraw or amend my complaint?

Yes, you can withdraw or amend your OCR complaint regarding a HIPAA violation after submitting it. If you realize that you need to correct details, add more information, or even decide not to pursue your complaint, you have the option to contact the Office for Civil Rights (OCR) and request changes.

To amend or withdraw your complaint, simply reach out to OCR using the contact information provided in your initial confirmation or through the complaint portal you used. Be sure to include your case number or any identifiers so OCR can easily find your file. Acting quickly is important, especially if you’re still within the 180-day deadline for reporting violations.

Withdrawing your complaint will generally stop the investigation unless OCR determines that the issue raises significant public concern or involves a pattern of noncompliance by a covered entity or business associate. Amending your complaint can help clarify facts, which is useful for a thorough investigation and possible resolution agreement.

Remember, OCR prohibits retaliation against anyone who files, amends, or withdraws a complaint. If you face any retaliatory actions, report them immediately through the complaint portal or to OCR staff.