How to File a HIPAA Violation Complaint with HHS OCR: Step-by-Step Process and Timeline

Determine Eligibility for Filing

Before you file, confirm that the organization you’re reporting is subject to HIPAA and that your concerns involve the HIPAA Privacy Rule, Security Rule Compliance, or the Breach Notification Rule. OCR enforces these standards for covered entities and their business associates.

Covered entities include health plans, most health care providers that transmit claims electronically, and health care clearinghouses. Business associates are vendors that handle protected health information (PHI) for these entities. Complaints about employers acting as employers, schools, or life insurers typically fall outside HIPAA unless they operate a HIPAA-covered component.

Anyone who believes a violation occurred may file, including patients, personal representatives, or third parties. You can also file if you experienced retaliation for exercising your HIPAA rights. If OCR lacks jurisdiction, it may close or refer the matter to a more appropriate authority.

Prepare a Written Complaint

Your complaint should clearly explain what happened, when it happened, and why you believe it violates HIPAA. Name the organization(s) involved, identify the locations, include relevant dates, and describe any ongoing risk or harm. Attach only the minimum necessary evidence to support your claim.

Map your concern to a HIPAA standard

• HIPAA Privacy Rule: Unauthorized use or disclosure of PHI, refusal to provide access, or lack of a Notice of Privacy Practices.
• Security Rule Compliance: Inadequate safeguards for electronic PHI (ePHI), such as missing risk analyses, weak access controls, or poor audit practices.
• Breach Notification Rule: Failure to notify you “without unreasonable delay” (no later than 60 days after discovery) following a breach of unsecured PHI.

Information to include

• Your name and contact information, and whether OCR may share your identity with the entity.
• The entity’s full name, department or site, and any business associate involved.
• A concise, chronological narrative of the events with specific dates.
• Copies of supporting items (e.g., letters, portal screenshots, bills, emails), redacted as appropriate.
• The relief you seek (e.g., investigation, policy changes, training).
• If late, an explanation supporting a Good Cause Extension request.

Simple complaint template

Subject: HIPAA Complaint – [Entity Name], [Location], [Date(s)]. I believe the [Privacy Rule/Security Rule Compliance/Breach Notification Rule] was violated when [brief facts]. This occurred on [date(s)] and I learned of it on [date]. I request OCR review and appropriate corrective action. Attached are [list exhibits].

Submit Complaint through Multiple Channels

The fastest way to file is through the OCR Complaint Portal, which guides you step by step and allows secure uploads and electronic attestation. Keep a copy of your submission and the case number you receive for tracking.

You may also submit by mail, fax, or email using OCR’s complaint form or a written letter containing all required details. If you need help due to disability or limited English proficiency, request assistance; OCR provides accessibility and language support.

Whether filing online or on paper, sign or attest to the accuracy of your statements. Submit only information necessary to explain the issue, and retain originals of any evidence you send.

Adhere to Filing Deadlines

You generally must file within 180 days from when you knew, or reasonably should have known, about the alleged violation. File as soon as possible to preserve your rights and to help OCR obtain timely evidence.

If you miss the 180-day window, you may request a Good Cause Extension. Reasons can include serious illness, incapacitation, natural disasters, misrepresentation by the entity, or other circumstances outside your control. Explain the facts clearly and provide documentation where available.

After you file, respond promptly to any OCR requests. Delays or incomplete responses can slow or end the review. Keep your contact information current so OCR can reach you.

Understand OCR Review Procedures

OCR begins with intake and triage to confirm timeliness, jurisdiction, and whether your complaint alleges a potential HIPAA issue. If information is missing, OCR may ask you to supplement; if outside its authority, it may close or refer the matter.

When OCR opens your complaint, both you and the entity are notified. Early resolution may occur if the entity promptly addresses the issue, receives technical assistance, or agrees to voluntary steps that resolve the concern. Otherwise, OCR proceeds to a formal investigation.

Timeline expectations vary with case complexity. The key milestones are filing, intake confirmation, determination to investigate, information gathering, and resolution. Keep your documentation organized so you can quickly provide clarifications as needed.

Navigate the Investigation Process

During investigation, OCR may request records, policies, risk analyses, audit logs, and training materials from the entity or business associate. It may also interview witnesses and evaluate the scope and impact of the incident, including any pattern of noncompliance.

You might be asked for more details or consent to share your identity with the entity, which can help OCR obtain specific records. Provide concise, factual responses and submit additional evidence in the requested format.

Possible outcomes include: no violation found; insufficient evidence; technical assistance or voluntary compliance; or formal enforcement. OCR does not award personal damages, but it may require the entity to fix deficiencies that caused or contributed to the violation.

Expect Corrective Actions and Penalties

If OCR identifies noncompliance, it can require Corrective Action Plans that mandate policy updates, workforce training, risk management, monitoring, and reporting to OCR over a set period. These plans drive sustainable Security Rule Compliance and ongoing Privacy Rule controls.

For serious or persistent violations, OCR may enter a resolution agreement that includes a monetary settlement and a robust corrective action plan. When warranted, OCR can impose Civil Monetary Penalties, with amounts that reflect culpability, the number of violations, and efforts to mitigate harm.

Public enforcement actions emphasize transparency and deterrence. Entities that promptly cooperate, remediate issues, and demonstrate sustained compliance typically achieve faster resolution with fewer sanctions.

Key takeaways

• File a clear, evidence-based complaint—preferably via the OCR Complaint Portal—and keep your case number.
• Meet the 180-day deadline or substantiate a Good Cause Extension.
• Organize documentation to speed intake, investigation, and resolution.
• Outcomes range from voluntary fixes and Corrective Action Plans to Civil Monetary Penalties.

FAQs

What entities are eligible for HIPAA complaints?

HIPAA applies to covered entities—health plans, most health care providers that transmit claims electronically, and health care clearinghouses—and to their business associates. Complaints should allege violations of the HIPAA Privacy Rule, Security Rule Compliance, or the Breach Notification Rule by these entities.

How do I submit a complaint to OCR?

Use the OCR Complaint Portal for the most efficient submission and document upload. You can also file by mail, fax, or email using OCR’s complaint form or your own written statement, signed or electronically attested. Include who, what, when, where, supporting evidence, and your contact information.

What is the timeline for filing a HIPAA complaint?

You generally must file within 180 days of when you knew, or should have known, about the violation. If you are late, explain the reason and request a Good Cause Extension. After filing, the overall review and investigation timeline varies based on case complexity.

What happens after OCR accepts a complaint?

OCR notifies the parties, requests information from the entity, and evaluates whether HIPAA was violated. The matter may resolve through technical assistance or voluntary compliance, or proceed to enforcement that can include Corrective Action Plans or Civil Monetary Penalties.