How to File a HIPAA Complaint: A Beginner's Step-by-Step Guide

Determine Appropriate Entity

You first need to confirm who is responsible and whether HIPAA applies. HIPAA covers health plans, most healthcare providers, and healthcare clearinghouses, as well as certain vendors that handle protected health information on their behalf.

Covered Entity vs. Business Associate

• Covered Entity: A doctor’s office, hospital, health plan, or pharmacy that directly handles your protected health information (PHI).
• Business Associate: A vendor that performs services for a covered entity involving PHI—such as a billing company, IT contractor, cloud storage provider, or transcription service.

Identify exactly which organization acted (or failed to act). This helps OCR route your complaint and evaluate responsibility.

Identify the Type of Violation

• HIPAA Privacy Rule: Addresses permissible uses/disclosures and your individual rights (e.g., improper disclosure of records, denial of access, failure to provide a Notice of Privacy Practices).
• HIPAA Security Rule: Requires administrative, physical, and technical safeguards for electronic PHI (ePHI), such as access controls and encryption.
• Breach Notification Rule: Requires timely notice to you and, in some cases, to regulators and the media after certain PHI breaches.

Choose Where to Complain

You can complain directly to the organization’s privacy officer and/or to the U.S. Department of Health and Human Services Office for Civil Rights (OCR). If the issue involves a non‑HIPAA app or consumer service, you may also consider relevant consumer protection authorities, but HIPAA enforcement rests with OCR.

Gather Necessary Information

Well-organized facts make your complaint clearer and faster to evaluate. Collect details that show what happened, when, and who was involved.

Core Facts to Collect

• Your name and contact information.
• Name and contact details of the covered entity or business associate.
• Dates and locations of the incident(s).
• A concise description of what occurred and why you believe it violates HIPAA.
• Names/titles of people you interacted with and any case or account numbers.

Supporting Evidence

• Copies of letters, emails, portal messages, policy excerpts, or screenshots.
• Notice of Privacy Practices, denial letters, billing statements, or audit logs if you have them.
• Notes of phone calls (date, time, who you spoke with, what was said).

Protect Your Privacy

Share only the minimum necessary PHI to explain the issue. Redact unrelated medical details from attachments where possible, and label files clearly to show their relevance.

Prepare Your Complaint

A clear, factual narrative helps reviewers quickly understand the issue and the HIPAA rule(s) at stake. Aim for brevity and precision.

Draft a Straightforward Narrative

• Opening: Identify the organization and your relationship to it (patient, plan member, employee, etc.).
• Timeline: List key dates and events in order.
• Violation: State which rule you believe applies (Privacy, Security, or Breach Notification) and why.
• Impact: Note consequences (e.g., delayed care, anxiety, financial exposure).
• Requested outcome: Training, policy change, access to records, breach notice, or other corrective steps.

Map Facts to HIPAA Rules

• Privacy Rule examples: improper disclosure to an unauthorized person; denial or delay of your right of access; failure to provide a valid authorization process.
• Security Rule examples: weak access controls, unencrypted devices, failure to conduct a risk analysis for ePHI.
• Breach Notification Rule examples: not notifying you after a breach, or notifying you far beyond required timelines.

If You File for Someone Else

State your authority (e.g., parent/guardian, personal representative, or written authorization). Attach documentation showing you can act on the individual’s behalf.

Submit Your Complaint

You can file with OCR electronically or by paper. Electronic filing is usually fastest and helps ensure required fields are complete.

Use the OCR Complaint Portal

• Enter your contact details and select whether you’re filing for yourself or another person.
• Identify the covered entity or business associate and the dates of the incident.
• Paste or upload your narrative and attach supporting documents.
• Certify that your statements are true and submit. Save the confirmation or case number.

Other Submission Methods

If you cannot use the OCR Complaint Portal, you may send a written complaint to OCR. Include your signature, the organization’s details, dates, a clear description, and copies of relevant documents. Keep copies of everything you submit.

After You Submit

Watch for OCR messages requesting clarification or additional records. Respond promptly. Keep your evidence organized so you can quickly provide what’s asked.

Understand the Complaint Process

OCR evaluates whether it has jurisdiction and whether your facts suggest a HIPAA violation. From there, the matter may close quickly, resolve cooperatively, or proceed to deeper review.

Intake and Jurisdiction Review

• OCR verifies timeliness and whether the organization is a covered entity or business associate.
• OCR may seek more information if key facts are missing.

Informal Resolution

When appropriate, OCR may resolve matters through technical assistance or voluntary corrective steps—often called Informal Resolution. This can include staff training, policy updates, or improvements to access processes.

Formal Investigation

More serious or systemic issues may move into Formal Investigation. OCR can request documents, interview witnesses, and assess safeguards. Outcomes can include a Resolution Agreement with a Corrective Action Plan, ongoing monitoring, or civil money penalties in certain cases.

Possible Outcomes

• Closure with technical assistance or voluntary compliance.
• Corrective Action Plan and monitoring.
• Civil money penalties for violations in eligible cases.
• Closure for lack of jurisdiction, insufficient evidence, or untimeliness.

Important Limits

HIPAA does not provide a private right to sue for damages. OCR focuses on compliance and corrective action; it does not award personal monetary compensation. You may still have separate rights under other laws depending on the facts.

Be Aware of Time Limits

File as soon as possible. Generally, you must file within 180 days from when you knew—or should reasonably have known—about the act or omission. OCR may extend this for good cause, but you should not rely on an extension.

When the Clock Starts

• If a disclosure happened on one day, the 180‑day period usually starts when you learn of it.
• If access to records is denied or delayed, the clock may start when the deadline to respond has passed and you become aware of the delay.

Good Cause Extensions

Explain any reasons for delay (e.g., hospitalization, disaster, or time spent pursuing the entity’s internal grievance process). Provide dates and supporting documents to help OCR evaluate good cause.

Breaches and Notification

If you discover a possible breach and did not receive required notice, that may implicate the Breach Notification Rule. Note when you learned of the breach and what follow‑up you received, if any.

Know Your Rights Against Retaliation

HIPAA’s Retaliation Prohibition forbids covered entities and business associates from intimidating, threatening, coercing, discriminating, or taking other adverse action against you for filing a complaint, participating in an investigation, or exercising HIPAA rights.

Examples of Retaliation

• Refusing care or services, unjustified discharge, or fee hikes because you complained.
• Workplace discipline, demotion, schedule cuts, or harassment tied to your HIPAA report.

If Retaliation Occurs

• Document what happened—dates, names, and any communications.
• File an additional complaint describing the retaliation and referencing the Retaliation Prohibition.
• If you are an employee, consider whether labor or whistleblower protections may also apply.

Conclusion

To file a HIPAA complaint effectively, confirm the responsible entity, connect the facts to the HIPAA Privacy Rule, HIPAA Security Rule, or Breach Notification Rule, present clear evidence, and submit through the OCR Complaint Portal or by paper. Act within 180 days, respond to OCR requests, and assert your protection against retaliation. Clarity, timeliness, and thorough documentation are your best tools.

FAQs

What information is needed to file a HIPAA complaint?

Provide your contact details; the covered entity or business associate’s name and address; dates of the incident; a concise description of what occurred; which rule you believe applies (Privacy, Security, or Breach Notification); and copies of supporting documents. If filing for someone else, include proof of your authority.

How do I submit a HIPAA complaint?

The fastest option is the OCR Complaint Portal, where you complete required fields, attach evidence, certify your statements, and submit. You can also send a written complaint to OCR. Keep your confirmation or case number and respond promptly to any follow‑up requests.

What is the time limit for filing a HIPAA complaint?

You generally have 180 days from when you knew—or reasonably should have known—about the incident. OCR may allow a good cause extension, but you should file as soon as possible to avoid timeliness issues.

Can I be retaliated against for filing a HIPAA complaint?

No. The Retaliation Prohibition bars covered entities and business associates from adverse actions against you for exercising HIPAA rights or participating in an investigation. If retaliation occurs, document it and file an additional complaint describing the retaliatory conduct.