How to File a HIPAA Violation Complaint with the HHS Office for Civil Rights (OCR)

If you believe your protected health information was used or disclosed improperly, you can ask the HHS Office for Civil Rights (OCR) to review the incident. This guide explains how to file, what to include, and what to expect during the investigation and enforcement process.

You will learn the available filing routes, the essential details to provide for Covered Entity Identification or Business Associate Reporting, the Complaint Filing Deadlines, and the protections you have against retaliation.

Filing Methods for HIPAA Complaints

You can submit a HIPAA complaint using any of the following methods. Choose the route that best fits your situation and documentation needs.

• Online: File through the OCR Complaint Portal for the fastest, most trackable submission.
• Mail: Send a completed OCR complaint form and supporting documents to the appropriate regional office.
• Fax: Transmit the signed complaint package to the number listed on the OCR form or regional office page.
• Email: Email a scanned, signed complaint form and attachments using the address provided by OCR.

Regardless of the method, keep copies of everything you submit. If you have multiple issues or respondents, organize your materials so OCR can quickly understand your claims.

Complaint Requirements and Deadlines

What your complaint should include

• Your name and contact information, and if applicable, your role as the patient or personal representative.
• Covered Entity Identification: the name, address, and role of the healthcare provider, health plan, or clearinghouse you believe violated HIPAA.
• Business Associate Reporting: identify any vendor, contractor, or service provider that handled protected health information on behalf of a covered entity.
• A concise description of what happened, including dates, locations, people involved, and how your privacy or security was impacted.
• Any supporting materials (letters, notices, screenshots, policies) that substantiate your allegations.
• Your signature (handwritten or electronic via the portal) certifying the information is true to the best of your knowledge.

Complaint Filing Deadlines

You generally must file within 180 days of when you knew or should have known about the alleged violation. If you missed the 180-day window, explain any good cause for delay; OCR may allow an extension in limited circumstances.

Jurisdiction and consent

OCR can investigate HIPAA issues involving covered entities and their business associates. If your complaint concerns entities not subject to HIPAA, OCR may close it or refer you elsewhere. You may be asked to sign a consent form allowing OCR to share information, including protected health information, with the entity under review; without consent, OCR’s ability to investigate may be limited.

Online Filing Through OCR Portal

The OCR Complaint Portal streamlines submission and helps you monitor your case. To file online:

1. Gather key facts: dates, locations, Covered Entity Identification, and any Business Associate Reporting details.
2. Create an account or proceed as directed to start a new complaint in the OCR Complaint Portal.
3. Complete the questionnaire, selecting the issue type (privacy, security, breach notice, or retaliation).
4. Describe what happened clearly and succinctly; reference documents you will attach.
5. Upload evidence such as letters, emails, notices of privacy practices, or screenshots.
6. Review, electronically sign, and submit. Save your confirmation number for records.
7. Check for OCR follow-up requests and respond by the stated date to avoid delays.

Mail and Fax Submission Procedures

If you prefer mail or fax, use the official OCR complaint form and follow these steps:

1. Complete all sections legibly, sign, and date the form.
2. Attach copies (not originals) of supporting documents and a brief timeline of events.
3. Address your package to the OCR regional office indicated on the form; this helps route your case correctly.
4. For fax, ensure all pages are numbered and readable; include a cover sheet with your contact information.
5. Retain proof of mailing or transmission and a full copy of what you sent.

If you require accommodations or language assistance, note that on your form so OCR can communicate with you effectively.

Email Complaint Submission

You may email your complaint by sending a scanned, signed OCR complaint form and attachments to the designated OCR email listed on the form. Use a clear subject line (for example, “HIPAA Complaint – [Your Name] – [Entity Name]”) and list attachments in the message body.

Because email can involve security considerations, avoid including unnecessary sensitive details in the message text. Attach documents as PDFs where possible, and confirm that file sizes comply with OCR’s stated limits. Keep the sent email and any delivery confirmations.

Investigation and Enforcement Process

Intake and case opening

OCR screens complaints for jurisdiction, timeliness, and sufficiency. If accepted, OCR opens a case and may contact you or the respondent for more information or to explore early resolution.

Evidence gathering

Investigations can involve document requests, interviews, and, when appropriate, site visits. OCR assesses whether the entity complied with the Privacy, Security, and Breach Notification Rules and whether policies, training, or safeguards were adequate.

Outcomes and remedies

• Technical assistance or voluntary compliance when issues are limited and quickly correctable.
• Resolution agreements that may include detailed Corrective Action Plans, training, policy revisions, risk analyses, and monitoring by OCR.
• Enforcement Penalties (civil money penalties) when warranted by the nature and extent of noncompliance, degree of culpability, and harm.

OCR typically issues a closure letter explaining the resolution. Entities are expected to meet all corrective steps by specified deadlines; failure to do so can trigger further enforcement.

Protections Against Retaliation

HIPAA includes a strong HIPAA Retaliation Prohibition. Covered entities and business associates may not intimidate, threaten, coerce, discriminate against, or take other adverse action against you for filing a complaint, participating in an investigation, or opposing conduct you reasonably believe violates HIPAA.

If you experience retaliation, document what occurred, when, and who was involved, and notify OCR promptly. Keep emails, messages, schedules, or performance notes that show changes after your protected activity. OCR can investigate retaliation alongside your underlying HIPAA concerns.

Conclusion

To summarize: choose a filing method that fits your needs, provide clear facts with accurate Covered Entity Identification or Business Associate Reporting, file within the Complaint Filing Deadlines, and respond promptly to OCR requests. If violations are found, OCR may require Corrective Action Plans or impose Enforcement Penalties—and you are protected from retaliation for raising your concerns.

FAQs.

What information is required to file a HIPAA complaint?

Provide your contact details; Covered Entity Identification (and any Business Associate Reporting details); a clear description of what happened with dates, locations, and people involved; supporting documents; and your signature. If asked, include consent allowing OCR to share information with the respondent for investigation.

How can I submit a HIPAA violation complaint to OCR?

Submit through the OCR Complaint Portal for the fastest processing, or use mail, fax, or email with a signed complaint form and attachments. Keep copies and any confirmations, and respond quickly to OCR follow-up requests.

What happens after OCR receives my complaint?

OCR reviews for jurisdiction and timeliness, then may open an investigation, request evidence, and assess compliance. Resolutions can include technical assistance, voluntary changes, Resolution Agreements with Corrective Action Plans, monitoring, or civil Enforcement Penalties when appropriate.

Is retaliation prohibited against complainants under HIPAA?

Yes. The HIPAA Retaliation Prohibition bars covered entities and business associates from taking adverse action against you for filing a complaint or cooperating with OCR. If retaliation occurs, document it and report it to OCR promptly.