How to File a HIPAA Privacy Rule Complaint: OCR Portal Steps, 180‑Day Deadline, and Evidence Checklist

Access OCR Complaint Portal

You can start an OCR complaint submission online when you believe a HIPAA Privacy Rule violation occurred. The portal guides you through identifying the organization, describing what happened, and uploading evidence. Have names, dates, and documents ready before you begin.

Before you start, gather the basics so the process is quick and accurate:

• Full legal name of the covered entity or business associate and the location where the incident occurred.
• Exact dates (or best estimates) for each event related to the violation.
• Your contact details and preferred communication method for follow-up.
• Digital copies of key documents you plan to upload.

Inside the portal, select that your issue concerns the Privacy Rule, confirm the entity type (health plan, provider, clearinghouse, or business associate), and follow the prompts to create your case. Save your work if you need to return later.

Provide Complainant Information

Enter your name, mailing address, email, and phone so OCR can contact you. If you are filing for someone else, identify your relationship and provide proof of authority (for example, power of attorney or parental/guardian status) so OCR can discuss protected health information with you.

Indicate the person affected (you or another individual), preferred language, and any accessibility or accommodation needs. Clear, complete contact information helps OCR assess covered entity compliance and reach you promptly for clarifications.

• Use the same name across your complaint and supporting files to avoid confusion.
• Provide at least one alternate contact method.
• If multiple people were affected, clarify each person’s role and impact.

Detail Privacy Rule Violations

Describe what happened in a concise, chronological narrative: who did what, when, where, and how it affected you. Link each fact to a document or message when possible. Focus on conduct that implicates the Privacy Rule, such as impermissible uses or disclosures, denial or delay of access to your records, failure to provide a Notice of Privacy Practices, or uses beyond the minimum necessary.

If your concern involves a breach, explain how you learned of it and whether you received a breach notice; this context helps OCR evaluate issues under breach notification rules. Be specific about dates, departments, and individuals involved, and note any witnesses.

Evidence checklist

• Timeline of events with dates and times; names/titles of staff you spoke with.
• Copies of letters, emails, portal messages, faxes, or text messages related to the event.
• Right-of-access request and responses (including any denial letters and reasons given).
• Screenshots of patient portal activity or mailed documents that reveal PHI.
• Insurance Explanations of Benefits, bills, or statements showing disclosures.
• Notices and forms: Notice of Privacy Practices, authorizations, acknowledgments.
• For breaches: breach notification letters, date received, and any credit monitoring offers.
• Witness names/contact information and a brief summary of what they observed.

Label each file clearly (for example, “2025-03-14_access-request.pdf”) and reference it in your narrative. Avoid editing or annotating originals; add notes in a separate document if needed.

Complete Consent Form

OCR typically needs your permission to share your complaint details and identity with the organization so it can investigate. The consent form requirements generally include your name, authorization for OCR to disclose information as needed, and your electronic signature with the date.

• Read what you are authorizing OCR to disclose and the purpose of disclosure.
• If filing for someone else, include documentation showing your authority to consent on their behalf.
• You may decline to allow disclosure, but doing so can limit OCR’s ability to investigate or obtain a remedy specific to you.

Sign electronically, confirm the date, and retain a copy for your records. If you change your mind later, notify OCR in writing; be aware that revoking consent may affect the investigation.

Review and Submit Complaint

Before submitting, verify accuracy and completeness. Small details—like the exact clinic name or a missing date—can slow review. Ensure attached files open correctly and match the events described.

• Re-read your narrative for clarity and logical order.
• Confirm every allegation ties to a date, person, and document when available.
• Attach all supporting files and note any evidence you will send later.

Submit the complaint through the portal. You should receive a confirmation and, typically, a case or tracking number. Store that number and monitor your email for follow-up questions or requests for additional information.

Understand 180-Day Filing Deadline

The complaint statute of limitations for HIPAA Privacy Rule issues is generally 180 days from the date you knew—or reasonably should have known—about the violation. File as soon as possible; waiting risks missing the deadline and losing review options.

OCR may, at its discretion, extend the 180-day period for good cause. If you are past the deadline, still submit and briefly explain the circumstances (for example, serious illness or obstacles outside your control). The portal accepts submissions 24/7, including weekends and holidays.

Recognize Retaliation Protections

The retaliation prohibition under HIPAA protects you for filing a complaint, assisting in an investigation, or otherwise exercising your HIPAA rights. Covered entities and business associates may not intimidate, threaten, coerce, or discriminate against you because of your complaint.

• Examples include firing or demoting an employee, refusing services, or imposing new barriers or fees after you complain.
• If you suspect retaliation, document the conduct with dates and communications and notify OCR, referencing your case number.

Stay focused on facts, keep consistent records, and respond promptly to OCR requests. A clear narrative plus strong documentation gives OCR the best chance to evaluate covered entity compliance and resolve your concerns.

FAQs

What is the deadline for filing a HIPAA complaint?

In most cases, you must file within 180 days of when you knew or should have known about the alleged violation. OCR can extend this period for good cause, so submit promptly and explain any delay.

How do I submit evidence with my HIPAA complaint?

Upload digital files in the portal and reference each item in your narrative. Use descriptive filenames, include dates, and keep originals. If a file is too large or unavailable at submission, note that you will provide it upon OCR’s request.

Can I file a HIPAA complaint anonymously?

You may withhold permission to disclose your identity to the organization, and you can submit limited information; however, OCR’s ability to investigate and obtain a person-specific remedy may be restricted without your identity and consent. Providing contact information generally improves OCR’s ability to act.

What protections exist against retaliation for filing a complaint?

HIPAA prohibits covered entities and business associates from retaliating against you for filing a complaint or participating in an investigation. If retaliation occurs, document it and inform OCR; retaliation itself can be a separate violation.