How to File a HIPAA Complaint with HHS OCR: Step-by-Step Guide, Deadlines, and What to Include

Determine Eligibility of Covered Entities

Confirm OCR jurisdiction

Before you file, verify that the organization you’re reporting is a Covered Entity or a Business Associate under HIPAA. Covered Entities include health plans, most health care providers that transmit claims electronically, and health care clearinghouses. Business Associates are vendors or contractors that handle protected health information for a Covered Entity, such as billing services, IT support, or transcription companies.

HIPAA generally does not apply to employers, life insurers, most schools, or many consumer apps unless they act for a Covered Entity. If the organization is outside HIPAA, the Office for Civil Rights (OCR) may close or refer your complaint, so eligibility is the first gate to clear.

Identify the rule at issue

Frame your concern under the HIPAA Privacy, Security, or Breach Notification Rules. Examples include improper disclosures, failure to provide access to records, inadequate safeguards, or breach notification problems. This helps OCR quickly route your submission to the right team.

Gather Complainant and Incident Details

Collect essential information

Prepare the specifics you’ll enter on the Health Information Privacy Complaint Form. You should have your name and contact information, the name and address of the organization, dates of the incident, what happened, who was involved, and what records were affected. Include whether you are a patient, plan member, workforce member, or other individual.

Assemble supporting evidence

Gather documents that corroborate your account, such as emails, letters, screenshots, notices of privacy practices, access requests, denials, call logs, or breach letters. Label files clearly with dates. If you received partial responses, note what is missing and any follow‑up attempts.

Consider Consent Authorization

If you’re filing for someone else, you may need a signed Consent Authorization or proof that you’re the person’s legal personal representative. For minors or incapacitated individuals, include guardianship papers, a health care proxy, or power of attorney, as applicable.

Submit Complaint via Online Portal or Mail

Use the online portal

The fastest method is the OCR online complaint portal. Create or use an account, enter your details from the Health Information Privacy Complaint Form, and upload evidence. Review everything for accuracy, certify your statements, and submit. Save or print the confirmation page and your complaint tracking number.

Or file by mail

You can also print and complete the Health Information Privacy Complaint Form and mail it with copies of your evidence. Sign and date the form, keep copies of everything you send, and use a mail option that provides delivery confirmation. Address your package to the Office for Civil Rights, noting that intake is handled by Centralized Case Management Operations.

Practical submission tips

• Be concise and specific; list dates, locations, and individuals by role.
• Explain how the action violated HIPAA and any harm or risk you experienced.
• If you prefer OCR not disclose your identity to the organization, say so; understand that sharing may be necessary to investigate.

Understand Filing Deadlines and Extensions

The 180‑day rule

You generally must file within 180 days from when you knew, or should have known, about the alleged violation. If multiple incidents occurred, note each date; the earliest date usually starts the clock.

Good‑cause extensions

OCR can accept late complaints for good cause—for example, serious illness, incapacity, lack of key information, ongoing intimidation, or other circumstances outside your control. If you’re past 180 days, file anyway and clearly explain why you could not submit sooner.

Await OCR Review and Investigation Outcomes

Intake and screening

After submission, Centralized Case Management Operations reviews your materials, confirms jurisdiction, and assigns a case or requests more information. You’ll typically receive an acknowledgment with your tracking number.

The Complaint Investigation Process

When OCR opens a case, investigators may request records from the organization, interview witnesses, and assess policies, risk analyses, and security measures. OCR evaluates whether HIPAA violations occurred and what corrective actions are required to bring the entity into compliance.

Potential results

Outcomes may include technical assistance to the entity, voluntary resolution with specific fixes, a corrective action plan with monitoring, or civil money penalties in serious cases. If OCR lacks jurisdiction or evidence, it may close the complaint and inform you of the reason.

Recognize and Report Retaliation

Retaliation Prohibition

HIPAA bars Covered Entities and Business Associates from intimidating, threatening, coercing, or discriminating against you for filing a complaint or cooperating with OCR. Examples include denying services, increasing fees, or firing an employee because they spoke up.

What to do if retaliation occurs

Document dates, people involved, and what was said or done. Report retaliation to OCR promptly, referencing your complaint number. Provide any new evidence so OCR can address both the original allegation and the retaliatory conduct.

Maintain Documentation of Complaint Process

Keep an organized record

Maintain a timeline of events, copies of your complaint, portal confirmations, letters or emails from OCR, and all correspondence with the organization. Store phone logs with dates, names, and summaries. These records help you respond quickly to OCR requests.

Follow up effectively

If OCR asks for more information, respond by the stated date and confirm receipt. If you change your contact details, notify OCR immediately so you don’t miss deadlines or requests during the investigation.

Key takeaways

• Verify that the organization is a Covered Entity or Business Associate and that the issue is HIPAA‑related.
• Use the Health Information Privacy Complaint Form to clearly present facts, dates, and evidence.
• File within 180 days or explain good cause for any delay.
• Know your rights under the Retaliation Prohibition and document everything from submission through resolution.

FAQs

What information is required to file a HIPAA complaint?

You’ll need your contact details, the name and address of the organization, dates of the incident, a clear description of what happened, which records or systems were involved, and any evidence. If filing for someone else, include a Consent Authorization or proof of personal‑representative status. Submitting through the Health Information Privacy Complaint Form ensures you provide all required fields.

How long do I have to file a HIPAA complaint?

Generally, you must file within 180 days from when you knew, or should have known, about the violation. OCR may grant an extension for good cause, such as illness, incapacity, or difficulty obtaining information. If you’re unsure, file and explain the delay.

Can I file a complaint on behalf of someone else?

Yes. You can file for another person if you have their written Consent Authorization or legal authority as a personal representative (for example, a health care proxy, power of attorney, or guardianship). Include documentation with your submission so OCR can verify your authority.

What happens after I file a HIPAA complaint?

OCR’s Centralized Case Management Operations screens your complaint and assigns it for review if within jurisdiction. During the Complaint Investigation Process, OCR may request additional information, contact the organization, and require corrective action if violations are found. You’ll receive updates or a closure letter explaining the outcome.