How to File a HIPAA Complaint: Real-World Scenarios and Step-by-Step Guidance

Determine Eligibility for Filing

Who can file and when HIPAA applies

You can file a complaint if you believe your protected health information (PHI) was mishandled by a Covered Entity or its Business Associate. Covered Entities include health plans, most health care providers, and health care clearinghouses; Business Associates are vendors that create, receive, maintain, or transmit PHI on their behalf.

Real‑world scenarios that qualify

• A clinic posts a patient’s full name and diagnosis on a public calendar.
• A pharmacy hands you another patient’s medication bag with their label visible.
• An insurer refuses timely access to your medical records or charges unreasonable fees.
• A billing vendor (Business Associate) loses an unencrypted laptop containing PHI.
• You never receive a required breach notice after your data was exposed.

When HIPAA likely does not apply

HIPAA generally does not cover employers acting as employers, educational records protected by FERPA, or consumer health apps that are not working for a Covered Entity. You may still have other privacy or state-law options, but those are outside HIPAA’s process.

Review the Complaint Process

How the Office for Civil Rights handles reports

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) receives your Complaint Submission, confirms HIPAA jurisdiction and timeliness, and decides whether to open an investigation. OCR may first seek an early resolution by contacting the entity to fix the issue quickly.

High-level steps you will take

1. Verify eligibility and the entities involved (Covered Entity or Business Associate).
2. Gather facts, dates, documents, and witness details.
3. Complete and send your Complaint Submission to the Office for Civil Rights.
4. Respond to OCR requests and participate in Investigation Cooperation.
5. Receive a closure letter describing the outcome and any corrective actions.

Gather Necessary Information

Your preparation checklist

• Your name, contact information, and preferred way to communicate. If filing for someone else, include your relationship and authority.
• The name, role, and contact information of the Covered Entity or Business Associate you believe violated HIPAA.
• Specific dates (or date ranges), locations, and a concise description of what happened and how PHI was affected.
• Any supporting documents: letters, bills, screenshots, policies, breach notices, or access-request correspondence.
• Names of people involved or witnesses, if known.
• Whether you tried to resolve the issue with the entity and what happened.
• A statement if you request confidentiality of your identity during the investigation.

Submit the Complaint

Ways to file

You may file through OCR’s online portal, by mail, or by email/fax using OCR’s form. Keep copies of everything you send. If you need accessibility or language assistance, you can request it in your Complaint Submission.

What to include and how to write it

• Stick to facts: who, what, when, where, and how PHI was impacted.
• Attach only relevant evidence and label files clearly (for example, “Breach notice – May 5”).
• Explain ongoing harm (e.g., identity theft concerns or denial of record access).
• Note any retaliation concerns; HIPAA’s Retaliation Prohibition protects you from adverse action for filing.
• Sign and date the submission, and provide the best phone and email to reach you quickly.

Understand the Filing Timeline

Deadlines and expectations

In most cases, you must file within 180 days of when you knew or should have known of the violation. OCR may extend this deadline if you show good cause, so file as soon as possible and explain any delay.

Processing and investigation timelines vary with case complexity and workload. Many matters close in a few months; complex investigations, especially those involving systemic fixes, can take longer. You will receive updates or requests for information as the case progresses.

Cooperate with OCR Investigation

Best practices for Investigation Cooperation

• Respond promptly and completely to OCR’s questions; confirm receipt and deadlines.
• Organize evidence chronologically and provide brief summaries to speed review.
• Preserve all emails, messages, and documents—do not delete anything related.
• Share names of staff who interacted with you and copies of any policies you were given.
• If the issue gets resolved during the inquiry (e.g., you receive your records), inform OCR.

Anticipate Possible Outcomes

What OCR may do

• Provide Technical Assistance to the entity or close the case if no violation is found.
• Achieve Early or Voluntary Resolution where the entity quickly corrects issues.
• Require a Corrective Action Plan with monitoring to fix policies, training, or safeguards.
• Impose Civil Monetary Penalties for serious, persistent, or willful violations.
• Refer potential criminal matters to the Department of Justice if appropriate.
• Remind entities of the Retaliation Prohibition; report any retaliatory acts to OCR immediately.

What you can do alongside OCR’s process

You may also raise concerns with the entity’s privacy officer and consider state privacy avenues. HIPAA itself does not give individuals a private right of action for damages, but OCR enforcement can drive corrective measures that protect you and others.

Conclusion

Confirm that HIPAA applies, gather clear evidence, and submit a focused Complaint Submission to the Office for Civil Rights. Respond quickly during Investigation Cooperation, and be aware of outcomes ranging from technical assistance to Civil Monetary Penalties. Acting promptly helps protect your privacy and encourages lasting fixes.

FAQs

What information is required to file a HIPAA complaint?

Provide your contact details, the name and contact information of the Covered Entity or Business Associate, dates and a concise description of what happened, any supporting documents, witness names if available, and whether you want OCR to keep your identity confidential. If filing for someone else, include your relationship and authority.

How long do I have to file a HIPAA complaint?

You generally have 180 days from when you knew or should have known of the violation. OCR can extend this for good cause, so file as soon as possible and explain any delay. If an issue is ongoing, do not wait—submit promptly and note that it is continuing.

Can I file a HIPAA complaint anonymously?

OCR may review anonymous tips, but it typically needs your name and contact information to investigate and communicate with you. You can request that OCR keep your identity confidential to the extent allowed by law. You may also file on someone’s behalf with appropriate authority.

What happens after I file a HIPAA complaint?

OCR screens your Complaint Submission for jurisdiction and timeliness, may seek an early resolution, and can open an investigation. You might receive requests for more information. Outcomes include technical assistance, corrective action plans, settlement agreements, Civil Monetary Penalties, or closure if no violation is found. You will be notified when OCR closes the case.