How to File a HIPAA Complaint: Step-by-Step Guide, Best Practices, and Compliance Tips

Understanding HIPAA Complaint Eligibility

If you believe your privacy, security, or access rights under HIPAA were violated, you can file a complaint. Eligible complainants include patients, health plan members, personal representatives (such as parents or legal guardians), and workforce members who observed potential violations.

A HIPAA complaint must generally involve a HIPAA-covered entity (a health plan, most healthcare providers who transmit standard transactions, or a healthcare clearinghouse) or a business associate working on its behalf. Complaints about privacy, security, and breach notification issues are handled by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). Complaints about standardized electronic transactions, code sets, and unique identifiers fall under CMS Administrative Simplification Enforcement.

Typical issues include unauthorized use or disclosure of PHI, failure to provide timely access to records, inadequate safeguards for ePHI, improper minimum-necessary practices, missing breach notifications, or impermissible marketing or fundraising uses of PHI.

Methods for Filing HIPAA Complaints

You can file directly with the government or submit internally to the organization. Filing internally is optional; you may go straight to regulators.

• Online submission to OCR: Use the OCR Complaint Portal to report Privacy, Security, or Breach Notification Rule concerns.
• Mail, email, or fax to OCR: If you prefer, you can submit written complaints with your signature and supporting materials through these methods.
• Administrative Simplification complaints: For transaction, code set, identifier, and operating rule issues, file through the CMS Administrative Simplification Enforcement process.
• Internal complaint: You may also report concerns to the provider’s or plan’s privacy or compliance office. Keep copies of what you submit and any replies you receive.

Essential Information for Complaint Submission

Providing clear, complete details helps regulators determine jurisdiction and investigate efficiently. Include:

• Your name and contact information (and whether you are the patient, a personal representative, or a workforce member). If you request confidentiality, state that in your submission.
• The name of the organization you are complaining about and whether it is a HIPAA-covered entity or a business associate.
• Dates, locations, and a concise description of what happened, the PHI involved (avoid attaching unnecessary sensitive data), and why you believe HIPAA was violated.
• Any steps you took internally, the names or departments involved, and relevant policies, screenshots, emails, letters, or logs.
• Your signature and a statement that the information is true to the best of your knowledge.

To meet complaint documentation requirements, keep your own file containing what you submitted, when you submitted it, and any responses you receive. Covered entities and business associates should document complaints and their disposition and retain those records for at least six years.

Timelines and Deadlines for Filing

There is a 180-day filing deadline, measured from the date you knew or reasonably should have known of the potential violation. OCR may extend this period if you show good cause for delay (for example, if you were seeking internal resolution or lacked timely access to key facts).

• After submission, you typically receive an acknowledgment. Intake review focuses on jurisdiction, timeliness, and the adequacy of facts provided.
• If OCR investigates, the organization may be asked for records and a response. Time to resolution varies with complexity; some cases close quickly with technical assistance, while others take months.
• For Administrative Simplification matters, CMS requests information from the parties and may require corrective action; timelines similarly vary by case.

Prohibited Retaliation Practices

HIPAA’s non-intimidation and non-retaliation standard forbids organizations from punishing you for filing a complaint or participating in an investigation. Retaliation protections bar actions such as:

• Firing, demoting, reducing hours, reassigning to undesirable duties, or otherwise disciplining an employee who reported a concern.
• Denying services, increasing charges, withholding medical records, or threatening a patient for submitting a complaint.
• Harassment, intimidation, coercion, or any conduct that would dissuade a reasonable person from reporting.

If you experience retaliation, note dates, witnesses, and documents, and include that information in your complaint.

Internal Handling of HIPAA Complaints

Organizations should operate a consistent, documented process that protects complainants, speeds mitigation, and demonstrates compliance. A practical approach includes:

• Centralize intake: Route complaints to the privacy officer (and security officer if ePHI is involved). Acknowledge receipt promptly.
• Triage and scope: Determine whether the issue implicates HIPAA Privacy, Security, Breach Notification, or CMS Administrative Simplification Enforcement topics.
• Preserve evidence: Secure relevant emails, logs, and system records; limit further exposure of PHI.
• Investigate and mitigate: Interview involved staff, review policies, and apply immediate safeguards to prevent recurrence.
• Assess breach obligations: Conduct risk-of-compromise analysis; if a breach occurred, follow notification requirements.
• Corrective action: Update policies, deploy technical controls, retrain staff, and apply sanctions when warranted.
• Close and document: Record findings, decisions, and remediation. Meet complaint documentation requirements and retain records for six years.

Integrate these steps into your incident response plan so your team can act quickly and consistently.

Implementing HIPAA Compliance Best Practices

• Governance and risk management: Perform an enterprise risk analysis, maintain a risk register, and review it at least annually.
• Access controls and minimum necessary: Enforce role-based access, multifactor authentication, and routine access reviews.
• Technical safeguards: Encrypt ePHI in transit and at rest, patch systems, and monitor with audit logs and alerts.
• Workforce readiness: Provide initial and refresher training, test understanding, and document attendance and competencies.
• Vendor management: Inventory business associates, execute and review BAAs, and evaluate vendor security.
• Patient rights operations: Maintain reliable processes for access, amendments, restrictions, confidential communications, and accounting of disclosures.
• Preparedness: Maintain and test an incident response plan that includes complaint intake, investigation playbooks, and post-incident reviews.

In short, know where to file, submit clear facts before the 180-day filing deadline, preserve evidence, and follow a consistent, well-documented process. Strong preventive controls and responsive complaint handling reduce risk and build trust.

FAQs.

Who can file a HIPAA complaint?

Anyone who believes their HIPAA rights were violated—or who witnessed a potential violation—can file, including patients, health plan members, personal representatives, and workforce members. Complaints may target a HIPAA-covered entity or its business associate.

What information is required to file a HIPAA complaint?

Provide your contact details, the organization’s name, dates, a clear narrative of what happened, why it violates HIPAA, and supporting materials such as emails or screenshots. Sign your submission and keep copies to satisfy your own complaint documentation requirements.

How are complaints processed by CMS?

CMS handles Administrative Simplification matters. After intake and jurisdiction review, CMS requests information from the parties, evaluates compliance with transaction, code set, identifier, and operating rule standards, and may require corrective action or impose civil monetary penalties. This CMS Administrative Simplification Enforcement process continues until issues are resolved and verified.

What protections exist against retaliation for filing a complaint?

HIPAA’s retaliation protections prohibit threats, intimidation, coercion, discrimination, or adverse actions against anyone who files a complaint or cooperates with an investigation. If retaliation occurs, document it and include those details in your complaint.