How to File a HIPAA Complaint for Negligence: Step-by-Step Guide

If you believe your protected health information (PHI) was mishandled, this step-by-step guide shows you how to file a HIPAA complaint for negligence. You will learn which agency to contact, what to include, how to meet deadlines, and what to expect under the HIPAA Privacy Rule and HIPAA Security Rule.

Determine Appropriate Entity

First, decide whether your issue belongs with the Office for Civil Rights (OCR) or the Centers for Medicare & Medicaid Services (CMS). OCR enforces the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification requirements. CMS handles Administrative Simplification Enforcement, which covers standard transactions, code sets, operating rules, and unique identifiers.

Confirm that the organization is a Covered Entity (health plans, most providers, clearinghouses) or a business associate that handles PHI on a covered entity’s behalf. Then match the problem to the correct path:

• Privacy or security issues (e.g., impermissible disclosures, snooping, weak safeguards, breach notifications) → file with OCR.
• Transactions/operating rules issues (e.g., claim or eligibility standards, remittance advice, identifier use) → file with CMS via Noncompliance Reporting.
• If aspects of both apply, you may submit complaints to both agencies, addressing each issue separately.

File Complaint with OCR

For Privacy, Security, or Breach Notification violations, submit a complaint through the OCR Complaint Portal. Filing online is typically fastest, though mail and email options exist. You can file for yourself or for someone else (with authority such as legal representation or written authorization).

• Describe what happened, when it happened, and how it violates the HIPAA Privacy Rule or HIPAA Security Rule.
• Identify the covered entity or business associate by full name, location, and any known contacts.
• Explain any steps you took to resolve the issue directly and why the response was inadequate.
• State whether OCR may share your identity with the entity (helpful for investigations).
• Attach relevant evidence and keep copies of everything you submit.

File Complaint with CMS

For Administrative Simplification Enforcement, report noncompliance to CMS. This path addresses standard electronic transactions (such as claims, eligibility, enrollment/disenrollment, claim status, remittance advice), code sets, operating rules, and unique identifiers (like NPIs).

• Specify the transaction or requirement at issue and the trading partner(s) involved (e.g., health plan, clearinghouse, billing service).
• Provide dates, sample transactions or error messages, and explanations of how the standard was not followed.
• Include correspondence showing attempts to resolve the issue (tickets, emails, or notices).
• Submit only the minimum necessary data; avoid including PHI unless it is essential to explain the noncompliance.

Include Necessary Information

Clear, complete information helps your complaint move quickly. For either OCR or CMS, include:

• Your name, preferred contact method, and mailing address (anonymous tips are limited; investigators often need follow-up).
• The full legal name of the Covered Entity or business associate, with addresses and phone numbers if known.
• A concise narrative: what happened, who was involved, where it occurred (e.g., portal, clinic, call center), and why it violates HIPAA.
• Key dates and a simple timeline (discovery date, incident date, and any follow-up communications).
• The HIPAA requirement you believe applies (Privacy, Security, Breach Notification, or Administrative Simplification).
• Any ongoing risk to you or others that may require urgent action.

Submit Supporting Documentation

Evidence strengthens your complaint. Provide legible, relevant documentation that demonstrates noncompliance without exposing unnecessary PHI.

• Letters or emails from the entity, portal screenshots, notices of privacy practices, breach letters, denial letters, or ticket numbers.
• System messages or rejection reports for standard transactions, de-identified when possible.
• Logs or audit entries showing impermissible access, device loss/theft reports, or policy excerpts that contradict HIPAA requirements.
• Redact Social Security numbers, account numbers, and unrelated medical details; submit only what supports your claim.
• Label files clearly (for example, “Timeline,” “Email_2025-04-12,” “Screenshot_Portal_Error”) and note how each document supports a specific fact.

Adhere to Filing Deadlines

For OCR complaints, you generally must file within 180 days of when you knew—or reasonably should have known—about the violation. OCR may extend this deadline for good cause, such as delayed discovery, incapacity, or other circumstances outside your control.

• File as soon as you can; you can submit supplemental documents later if needed.
• For CMS Administrative Simplification issues, report noncompliance promptly so records and transaction logs remain available for review.
• Check any additional deadlines that may apply under state privacy laws or contractual grievance processes, which are separate from HIPAA.

Understand Investigation Process

After you submit, the agency screens your complaint for jurisdiction and sufficiency. If accepted, OCR or CMS assigns a case number and may contact you for more details. The respondent is notified and asked to provide records, policies, and an explanation.

OCR focuses on Privacy, Security, and Breach Notification. Outcomes may include technical assistance, voluntary compliance, a corrective action plan with monitoring, or civil money penalties in severe cases. CMS pursues Administrative Simplification Enforcement by working with trading partners to correct violations, requiring remediation plans, and imposing penalties when needed.

Expect updates at key stages and a written closure or resolution notice. HIPAA prohibits retaliation for filing a complaint. While investigations can drive corrective action and penalties, HIPAA itself does not provide a private right to damages; separate legal avenues may exist under other laws.

In short, choose the right agency, present a precise narrative tied to HIPAA requirements, supply targeted evidence, and file promptly. A well-prepared submission increases the likelihood of rapid, meaningful corrective action.

FAQs.

What is the timeframe to file a HIPAA complaint for negligence?

For issues under the HIPAA Privacy Rule and HIPAA Security Rule, you generally have 180 days from when you knew or should have known about the violation. OCR may grant extensions for good cause. For Administrative Simplification matters handled by CMS, report noncompliance as soon as possible to preserve records and expedite enforcement.

How do I submit supporting documentation with my HIPAA complaint?

If filing via the OCR Complaint Portal, upload relevant files (emails, screenshots, notices) that support key facts. If you mail a complaint, include copies—never your only originals. For CMS noncompliance reporting, include transaction samples, rejection messages, and correspondence showing attempted resolution. Always redact unnecessary PHI and sensitive identifiers.

What happens after I file a HIPAA complaint?

You receive an acknowledgment and case number. The agency screens your complaint, requests additional information if needed, and notifies the entity to respond. Investigators review evidence, seek corrective action, and may require formal remediation or impose penalties. You are informed when the case is resolved or closed, along with the outcome.