How to File a HIPAA Complaint for Negligence: Where to Report and What to Include

When negligence exposes or mishandles your protected health information (PHI), you can pursue HIPAA violation reporting to hold organizations accountable. This guide explains how to file a HIPAA complaint for negligence, where to report it, and what to include so your submission is complete and more likely to prompt action.

Identify the Covered Entity

Start by confirming whether the organization is a Covered Entity or a Business Associate subject to HIPAA. Covered Entities include healthcare providers, health plans, and healthcare clearinghouses that handle PHI. Business Associates are vendors or service providers that create, receive, maintain, or transmit PHI on behalf of a Covered Entity.

Clarify who was responsible for the incident and how PHI was used or disclosed. Note the role of each party (for example, a clinic versus its billing vendor) and how their obligations relate to Privacy Rule Compliance. If multiple organizations were involved, list each one separately with names, addresses, and available contact details.

Gather Necessary Information

Collect clear, factual documentation before you file. Good records make it easier for investigators to determine whether HIPAA was violated and by whom.

• Your full name, mailing address, phone, and email.
• The Covered Entity or Business Associate’s legal name, address, and any known department or contact.
• Patient name (if different from you) and how you are related to the patient.
• Dates, times, locations, and a concise chronology of what happened.
• Descriptions of the protected health information (PHI) involved (no need to include the PHI itself) and how it was accessed, used, or disclosed.
• Copies of emails, letters, screenshots, voicemails, photographs, or logs that support your account.
• Any notice you received under Breach Notification Requirements; attach or transcribe the key details.
• Names or titles of individuals you spoke with and summaries of those conversations.

Document harm and impact

Briefly note any consequences you experienced (for example, identity theft concerns, reputational harm, or delayed care). Keep this factual and tied to the incident timeline.

File the Complaint

Submit your complaint to the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR). The fastest method is the OCR Complaint Portal; you can also submit by mail, fax, or email to an OCR regional office. You may additionally notify the organization’s privacy officer, but that does not replace filing with OCR.

• Choose a filing method (OCR Complaint Portal is recommended for speed and tracking).
• Enter your contact information and identify the Covered Entity or Business Associate.
• Provide a clear narrative: what happened, when, where, and who was involved.
• Upload supporting documents and reference any Breach Notification Requirements notices you received.
• Sign and date the complaint; provide consent for OCR to share details if requested, which can help the investigation.
• Save a copy of your submission and any confirmation number for your records.

Act promptly. HIPAA complaints generally must be filed within a limited window from when you knew or should have known about the issue. If you are approaching the deadline, file now and supplement with additional documents later.

Include Required Details

Strong complaints are specific and organized. Align your description to key HIPAA requirements, especially Privacy Rule Compliance and, if relevant, Breach Notification Requirements.

• Who: the exact Covered Entity or Business Associate and involved staff roles or departments.
• What: the action or inaction that reflects negligence (e.g., misdirected records, unlocked systems, improper disclosures, denial or delays in access).
• When and where: precise dates, times, and locations; indicate whether the issue is ongoing.
• How: the mechanism of exposure or failure (lost device without safeguards, shared login credentials, mailed PHI to the wrong address, etc.).
• Which rule: reference the area you believe applies (Privacy Rule Compliance, Security safeguards, or Breach Notification Requirements after a breach).
• Impact: concise description of risks or harms you experienced or anticipate.
• Supporting evidence: list and attach documents or screenshots; label files clearly.
• Desired outcome: corrective actions you seek (e.g., training, safeguards, policy changes, fulfillment of access requests).

Sample allegation outline

• On [date], at [location], [Covered Entity/Business Associate] [describe negligent act].
• PHI affected included [general categories, not the PHI itself].
• This appears inconsistent with [Privacy Rule Compliance/Breach Notification Requirements], resulting in [describe impact].
• Attached are [list of exhibits] supporting this account.

Await Investigation Outcome

After you submit, OCR conducts an intake review to confirm jurisdiction and completeness. You may receive requests for more information or a consent form allowing OCR to share your identity and complaint details with the organization; consenting can assist the investigation.

If OCR opens a case, it may request records from the organization, interview witnesses, and assess policies, training, and safeguards. Outcomes can include technical assistance, voluntary compliance, corrective action plans, resolution agreements, or civil monetary penalties in serious cases. If OCR lacks jurisdiction or sufficient information, it may close the matter and explain why.

Keep your documentation organized, respond quickly to OCR requests, and note any ongoing issues or retaliation concerns. Processing times vary based on complexity and caseload.

Conclusion

To file a HIPAA complaint for negligence, identify the Covered Entity, gather proof, submit through the OCR Complaint Portal or other OCR channels, include the required details tied to Privacy Rule Compliance and Breach Notification Requirements, and monitor the case to support a thorough review.

FAQs

What information is needed to file a HIPAA complaint?

You’ll need your contact details; the Covered Entity or Business Associate’s full name and address; dates, locations, and a clear description of what happened; the types of PHI involved; supporting documents (emails, screenshots, letters); and any notices received under Breach Notification Requirements. Include a concise statement of the suspected rule violation and your desired outcome.

How long do I have to file a HIPAA complaint?

Generally, you must file within 180 days from when you knew, or should have known, about the issue. OCR may allow extra time if you can show good cause for delay, so file as soon as possible and provide an explanation if you think you’re past the usual window.

Where do I submit a HIPAA complaint?

Submit to the U.S. Department of Health and Human Services Office for Civil Rights. The OCR Complaint Portal is the fastest route, but you can also file by mail, fax, or email with a regional OCR office. You may additionally notify the organization’s privacy officer, though that does not replace filing with OCR.

What happens after a HIPAA complaint is filed?

OCR reviews your complaint for jurisdiction and completeness, may request more information, and decides whether to open an investigation. If it proceeds, OCR gathers records, assesses policies and safeguards, and works toward resolution—ranging from technical assistance and corrective actions to formal resolution agreements or penalties in serious cases. You’ll be notified of the outcome when the review concludes.