How to Report a HIPAA Violation: Compliance Guide for Covered Entities

Reporting a HIPAA violation the right way protects patients, demonstrates Covered Entity Obligations, and reduces enforcement risk. This guide explains how to file a HIPAA complaint with the Office for Civil Rights (OCR), what to include, and what happens next, while reinforcing Privacy Rule violations prevention and Security Rule compliance.

For covered entities and business associates, “reporting” has two tracks: filing a complaint about suspected noncompliance and self-reporting incidents under Breach Notification procedures. You may need to do both—address the incident internally, notify affected individuals, and engage OCR through the appropriate channel.

Filing a HIPAA Complaint

Anyone may file a HIPAA complaint with OCR, including workforce members, patients, and business associates. Complaints should be filed within 180 days of when you knew of the violation; OCR may extend this for good cause. Complaints typically involve Privacy Rule violations, Security Rule gaps, or failures to follow Breach Notification procedures.

Before filing, preserve evidence and escalate internally to your Privacy or Security Officer. Review relevant policies, audit logs, and Business Associate Agreements. These steps show due diligence and often clarify facts that will help OCR assess the matter quickly.

• Identify the covered entity or business associate involved, dates, locations, and people affected.
• Describe what happened, the type of PHI involved, and how Security Rule compliance or minimum necessary standards were not met.
• Attach supporting materials: policies, screenshots, emails, risk analyses, training records, and remediation steps already taken.
• If you are a covered entity reporting your own lapse, also outline your Breach Notification procedures, notices sent, and mitigation.

Filing a Complaint Electronically

Electronic submission is the fastest path. Complete the online complaint form by selecting the issue type (Privacy Rule, Security Rule, or Breach Notification). Provide contact information, the entity’s details, and a clear narrative describing who did what, when, and how PHI was involved.

• Upload relevant evidence in common file formats and reference it in your narrative.
• State whether you consent to OCR sharing your name with the entity, which can help the investigation.
• Certify that your statements are accurate and submit. Keep the confirmation for your records.
• For entity self-reporting, use the breach reporting option and follow prompts for incident scope, risk assessment, and notices issued.

Filing a Complaint in Writing

If you prefer mail or fax, submit a signed, dated letter to OCR describing the violation. Include your contact information, the entity’s name and address, key dates, and the nature of the alleged noncompliance. A concise, chronological timeline helps OCR quickly understand the facts.

• Explain which obligations were violated—e.g., improper disclosures (Privacy Rule), inadequate safeguards (Security Rule), or delayed notification (Breach Notification procedures).
• Attach copies of relevant documents; keep originals. If you need language assistance or accessibility accommodations, note that in your letter.
• If you are a covered entity self-disclosing, include your risk assessment, mitigation steps, and how you are updating policies and training.

Reviewing the Complaint Process

OCR first verifies jurisdiction and whether the complaint is timely and complete. If accepted, OCR may request additional information, interview witnesses, and review policies, risk analyses, and logs. Covered entities must cooperate and preserve records throughout.

Outcomes vary. OCR may close the matter with technical assistance, obtain voluntary compliance, or require corrective action through a resolution agreement. For serious or willful noncompliance, OCR enforcement actions can include Civil Money Penalties. Complex investigations can take months, depending on scope and cooperation.

Understanding Corrective Actions

Corrective actions aim to fix root causes and prove sustained compliance. Typical measures include revising policies, retraining workforce members, sanctioning violators, and strengthening administrative, physical, and technical safeguards required by the Security Rule.

• Update access controls, authentication, encryption, auditing, logging, and device/media protections.
• Perform or refresh risk analysis and risk management plans tied to specific findings.
• Tighten minimum necessary standards, authorization workflows, and use/disclosure tracking.
• Reevaluate Business Associate Agreements, including due diligence, oversight, and breach terms.
• Implement monitoring and reporting to demonstrate measurable, time-bound improvement.

Reporting Retaliation

HIPAA prohibits intimidation, threats, coercion, discrimination, or other retaliation against anyone who reports a violation, files a complaint, or participates in an investigation. Retaliation is itself a violation that you should report to OCR.

• Document the retaliatory act, date, people involved, and any adverse employment or service impact.
• Escalate through your compliance channels and include retaliation details if you file with OCR.
• Maintain contemporaneous notes and preserve messages or performance records that show causation.

Knowing Your Rights Under HIPAA

Individuals have rights to receive a Notice of Privacy Practices, access and obtain copies of PHI, request amendments, request restrictions, and request confidential communications. They also have a right to an accounting of certain disclosures and to timely breach notifications.

Covered entities and business associates must meet Security Rule compliance standards, follow minimum necessary principles, honor individual rights, and fulfill Breach Notification procedures. Robust policies, workforce training, and ongoing risk management are central to avoiding OCR enforcement actions.

In practice, effective compliance means documenting decisions, acting quickly on incidents, communicating transparently, and verifying that remediation prevents recurrence. Doing so reduces risk of Civil Money Penalties and shows good-faith commitment to privacy and security.

FAQs

How do I file a HIPAA complaint electronically?

Use OCR’s online complaint process to enter your contact information, select the issue category (Privacy Rule, Security Rule, or Breach Notification), describe what happened with dates and facts, upload supporting evidence, consent to information sharing if you wish, certify accuracy, and submit. Keep the confirmation for your records.

What information is required to report a HIPAA violation?

Provide your contact details, the covered entity or business associate’s name, dates and locations, a clear description of the conduct, the type of PHI involved, how Privacy Rule violations or Security Rule requirements were not met, steps already taken, and any documents—policies, emails, logs, or notices—that support your account.

What happens after I file a HIPAA complaint?

OCR screens the complaint for jurisdiction and timeliness, may request more information, and—if it investigates—reviews policies, training, risk analyses, and system safeguards. Outcomes can include technical assistance, voluntary compliance, corrective action plans or resolution agreements, and, when warranted, Civil Money Penalties as part of OCR enforcement actions.

Can I be retaliated against for reporting a HIPAA violation?

No. HIPAA prohibits retaliation against anyone who reports, complains, or assists an investigation. If retaliation occurs, document it and include those details in your complaint to OCR. Covered entities should have policies and training that explicitly bar retaliation and provide safe reporting channels.