How to File a HIPAA Violation Complaint Online (Step-by-Step)

If you believe your protected health information was mishandled, you can file a HIPAA violation complaint online through the OCR Complaint Portal. This step-by-step guide shows you exactly what to prepare, how to complete each screen, and what to expect under the HIPAA Privacy Rule, including your Retaliation Protection and the Complaint Submission Deadline.

Access the OCR Complaint Portal

What to have ready

• Your contact details (name, address, email, phone).
• The name and location of the organization involved (Covered Entity or Business Associate).
• Dates of the incident and when you discovered it.
• A brief, factual description of what happened.
• Any supporting files (letters, screenshots, notices), if available.

Start a new online complaint

Open your web browser and go to the OCR Complaint Portal. Choose the option to start a new complaint. If prompted, you may continue as a guest or create/sign in to an account to save progress and view messages more easily.

Helpful tips

• Use a private device and secure connection.
• Keep a copy of anything you upload; the portal may limit file sizes.
• Note your confirmation or tracking number after submitting.

Select Complaint Type

Identify who you are complaining about

Select whether the respondent is a Covered Entity (for example, a health care provider, health plan, or clearinghouse) or a Business Associate (a vendor or service that handles protected health information for a Covered Entity).

Choose the issue category

If the complaint involves improper use, disclosure, or access to protected health information, select the HIPAA Privacy Rule category. If you are unsure, pick the option that most closely matches your concern; the Office for Civil Rights will triage it.

Filing for someone else

You may file for yourself or on behalf of another person. If filing for someone else, state your relationship and your authority to act.

Provide Complainant Information

Enter your contact details

Provide your name, mailing address, email, and phone so OCR can contact you for follow-up. Indicate your preferred communication method and any language or accessibility accommodations you need.

Confidentiality options

You can ask OCR to keep your identity confidential from the organization under investigation to the extent the law allows. Providing accurate contact information greatly improves OCR’s ability to investigate and update you.

Detail the Complaint

Describe what happened

Explain, in your own words, what occurred, who was involved, when and where it happened, and how it affected you. Be factual and specific: name departments or individuals if known, cite dates and times, and identify what information was accessed, used, or disclosed.

Explain why it violates HIPAA

Briefly connect the facts to the HIPAA Privacy Rule (for example, disclosure without authorization, denial of timely access, or failure to provide a notice of privacy practices). If multiple issues occurred, list them clearly.

Note the Complaint Submission Deadline

State when you first learned of the issue. You generally must file within 180 days of discovery; if more time has passed, explain any good cause for delay.

Include Additional Information

Upload supporting materials

Attach relevant documents such as correspondence, screenshots, notices of privacy practices, or breach letters. Only include what supports your claim and avoid unnecessary sensitive information.

Prior steps and outcomes

Indicate whether you contacted the organization, whom you spoke with, and any case or ticket numbers. Prior resolution attempts are not required but can speed OCR’s review.

Retaliation Protection

HIPAA prohibits retaliation for filing a complaint or exercising your rights. If you experienced retaliation (for example, service refusal or threats), describe what happened and when. OCR can assess those issues as part of your complaint.

Consent and Signature

Consent to share information

OCR may ask for your consent to share details with the organization to help resolve the complaint. Consenting can facilitate fact-finding, but you may decline; OCR will still evaluate your submission.

Use an Electronic Signature

Certify that your statements are true and complete by typing your full name as an Electronic Signature and dating the form. Check any required boxes acknowledging your declarations and understanding.

Review and Submit

Final review

Confirm names, dates, and contact information; ensure your narrative is clear and concise; and verify that all intended files are attached. Correct typos that could cause confusion.

Submit and track

Submit the complaint and save the confirmation number. Watch for OCR emails requesting additional details or documents and respond promptly to keep the investigation moving.

Conclusion

By using the OCR Complaint Portal and following these steps, you can efficiently file a HIPAA violation complaint online, align your narrative with the HIPAA Privacy Rule, meet the 180-day Complaint Submission Deadline, and assert your Retaliation Protection while providing a complete, verifiable record.

FAQs

How do I access the HIPAA complaint portal online?

Open your browser and navigate to the OCR Complaint Portal, the U.S. Department of Health and Human Services’ online system for HIPAA complaints. From there, choose “Start a new complaint,” then follow the on-screen prompts.

What information is required to file a HIPAA complaint?

You’ll provide your contact details; the name and location of the Covered Entity or Business Associate; dates; a clear description of what happened; what HIPAA Privacy Rule right you believe was violated; and any supporting documents. You can also request accommodations and confidentiality.

Can I file a complaint anonymously?

You may submit without sharing your name with the organization, and you can ask OCR to keep your identity confidential to the extent permitted by law. However, providing contact information helps OCR investigate and communicate with you. HIPAA includes Retaliation Protection for complainants.

What is the deadline to file a HIPAA violation complaint?

You generally must file within 180 days from when you knew or should have known about the violation. If you missed this window, explain any good cause for the delay; OCR may allow an extension.