How to File a HIPAA Security Complaint with HHS OCR (Step-by-Step Guide)

Determine Eligibility of Entity

Start by confirming that your concern falls under the HIPAA Security Rule, which protects electronic protected health information (ePHI). The rule applies to a Covered Entity (health plans, health care clearinghouses, and most providers who transmit standard electronic transactions) and to each Business Associate that creates, receives, maintains, or transmits ePHI on a covered entity’s behalf.

Verify Complaint Jurisdiction before filing. OCR can generally investigate failures to implement required administrative, physical, and technical safeguards, security incident response, risk analysis, access controls, audit logs, encryption, or breach notification practices related to ePHI. Matters outside HIPAA (for example, a non–healthcare app not acting as a business associate) may be outside OCR authority and handled by another agency.

• Likely in scope: a medical practice, hospital, health plan, EHR vendor, billing company, cloud hosting provider handling ePHI.
• Likely out of scope: entities with no role in handling ePHI for a covered entity or business associate relationship.

Gather Complainant and Entity Information

Collect the details you will need for the Health Information Privacy Complaint Form. Clear, specific facts help OCR quickly assess your allegations and decide next steps.

• Your information: full name, mailing address, email, phone, and preferred contact method. If filing for someone else, include your relationship and authority (for example, legal guardian or personal representative).
• Entity information: legal name of the Covered Entity or Business Associate, mailing address, website (if any), and a contact person if known.
• Incident specifics: what happened, when you learned of it, date(s) of the alleged violation, systems involved (for example, patient portal, EHR, email, server), and the type of ePHI affected.
• Regulatory basis: identify Security Rule safeguards you believe were not followed (for example, no risk analysis, weak access controls, missing encryption, lack of audit monitoring).
• Impact and ongoing risk: describe any harm, continuing exposure, or repeated issues.
• Evidence: attach notices, screenshots, letters, logs, emails, or other documentation that supports your account.

Submit the Complaint Electronically or by Mail

You can file online through the OCR Complaint Portal or send a paper form by mail. Electronic submission is usually faster and allows you to track status.

Electronic submission

• Access the OCR Complaint Portal and create or update your submission.
• Enter your information and the entity’s details, then provide a concise, factual narrative describing the Security Rule issues.
• Upload supporting files and indicate whether the issue is ongoing.
• Review, sign electronically where prompted, and submit. Save your confirmation or case number.

Mail submission

• Complete the Health Information Privacy Complaint Form by hand or fillable PDF and sign it.
• Attach copies (not originals) of supporting documents. Keep a full set for your records.
• Mail the form to the appropriate HHS Office for Civil Rights regional office as directed on the form instructions.

Include Signed Consent Form

OCR generally requires a signed consent to obtain and use your medical information during an investigation. In the portal, you will be prompted to sign electronically; for mailed complaints, include the signed consent page with your form.

If you file on behalf of another person, include documentation of your authority to act for that individual. Without the consent, OCR may be unable to access necessary records and could close or limit the investigation.

Understand Retaliation Protection

HIPAA’s Retaliation Prohibition bars covered entities and business associates from intimidating, threatening, coercing, discriminating against, or taking other retaliatory action against you for filing a complaint, participating in an OCR investigation, or opposing a practice you believe violates the rules in good faith.

• Protected activities include submitting a complaint, providing information to OCR, and advocating for Security Rule compliance.
• Examples of prohibited retaliation include terminating services, denying benefits, or adverse employment actions because you raised a HIPAA concern.

Report any suspected retaliation to OCR as a separate allegation so it can be addressed alongside your primary complaint.

Observe Complaint Filing Deadlines

You generally must file within 180 days of when you knew, or should have known, that the act or omission occurred. If the issue is ongoing, note the most recent date. OCR may extend the deadline if you show good cause, such as serious illness or delayed discovery of the violation.

File as soon as you can. Timely submissions make it easier for OCR to obtain records, interview witnesses, and assess the Security Rule controls in place when the incident occurred.

Expect OCR Review and Resolution

After you submit, OCR conducts intake to confirm timeliness and complaint jurisdiction, and to determine whether the facts, if true, would violate the HIPAA Security Rule. You may receive a request for additional information or clarification.

Possible outcomes include technical assistance to the entity, voluntary corrective action, a resolution agreement with monitoring, closure for lack of jurisdiction or evidence, or enforcement that can include civil monetary penalties. If issues fall outside HIPAA, OCR may refer the matter to another agency.

During the process, keep your contact details current, respond promptly to OCR inquiries, and retain all correspondence and uploads. In summary, confirm the entity is covered, assemble clear facts and evidence, file via the OCR Complaint Portal or by mail with the Health Information Privacy Complaint Form and signed consent, rely on your retaliation protections, meet the 180‑day deadline, and monitor OCR communications through to resolution.

FAQs.

What information is required to file a HIPAA complaint?

You will need your contact details, the name and address of the Covered Entity or Business Associate, the date(s) of the issue, a factual description of the Security Rule concern, and any supporting documents. If filing by mail, complete the Health Information Privacy Complaint Form and include a signed consent.

How do I submit a complaint to HHS OCR?

File online through the OCR Complaint Portal or mail a completed Health Information Privacy Complaint Form to the appropriate OCR regional office. Provide a clear narrative, attach evidence, and sign the required consent so OCR can obtain records needed for review.

What protections exist for complainants under HIPAA?

HIPAA’s Retaliation Prohibition forbids covered entities and business associates from retaliating against you for filing a complaint, assisting OCR, or objecting in good faith to practices you believe violate the Security Rule.

What is the deadline for filing a HIPAA complaint?

You generally must file within 180 days of when you knew, or should have known, about the violation. OCR may grant an extension for good cause, but filing promptly preserves evidence and improves the chances of effective resolution.