How to Report a HIPAA Violation Online: Step-by-Step Guide

If you believe your Protected Health Information (PHI) was misused or exposed, you can report it through the OCR Complaint Portal. This guide shows you exactly how to file under the HIPAA Privacy Rule and Security Rule, what to include as violation documentation, and what to expect from enforcement procedures.

Access OCR Complaint Portal

Start by opening the OCR Complaint Portal, the official online system for HIPAA complaints. Use a trusted device and a modern browser so you can upload files and complete electronic signatures without errors.

What to prepare before you begin

• Names and contact details for the organization (covered entity) or vendor (business associate) involved.
• Key dates, locations, and a concise description of what happened and how PHI was affected.
• Any violation documentation: emails, letters, screenshots, notices, policies, or call logs.
• Your contact information and preference for communications, or your plan for anonymous complaints.
• Awareness of timing: complaints should be filed promptly—so gather facts and submit as soon as you can.

Select Health Information Privacy Complaint

In the portal, choose “Health Information Privacy Complaint.” This routes your submission to the HIPAA team for issues under the HIPAA Privacy Rule (use and disclosure of PHI, right of access) and Security Rule (safeguards for electronic PHI).

Choose the right category

• If the concern involves unauthorized use or disclosure, pick options related to privacy violations.
• If it involves inadequate security measures, pick security safeguards or breach-related options.
• If it involves delayed or denied access to your records, select the patient right-of-access category.

Provide Complainant Information

Enter your name, mailing address, phone, and email. Indicate whether you are the patient, a personal representative, or another complainant. Clear contact details help OCR request clarifications and provide status updates.

Privacy and anonymity options

You may request that OCR keep your identity confidential or file an anonymous complaint. Anonymous complaints are accepted, but limited contact can reduce OCR’s ability to follow up for evidence or case updates. If you request confidentiality, OCR will strive to protect your identity while still conducting the investigation.

Enter Covered Entity Details

Provide the full legal name of the covered entity (for example, a hospital, clinic, health plan, or clearinghouse) and its mailing address, phone number, and the specific department or facility involved. If a vendor or contractor handled PHI, include the business associate’s details as well—this helps with covered entity reporting and ensures OCR contacts all appropriate parties.

Tips for accuracy

• Use exact names from billing statements, insurance cards, or official correspondence.
• List additional locations or facilities if the incident spans multiple sites.
• Mention any internal case numbers or points of contact you’ve already spoken with.

Describe the HIPAA Violation

Write a factual, chronological account of what occurred. Focus on who was involved, what PHI was affected, when and where it happened, how you discovered it, and why you believe it violates the HIPAA Privacy Rule or Security Rule.

Make your narrative clear and specific

• Identify the types of PHI involved (e.g., diagnoses, medications, account numbers) without posting unnecessary sensitive details.
• Explain the issue: unauthorized disclosure, snooping by staff, impermissible marketing, lack of safeguards, improper denial of access, or breach notification problems.
• Include steps you took with the organization (who you contacted and their response).

Attach Supporting Documentation

Upload violation documentation that supports your account. Useful files include emails, letters, screenshots, photos of mailed documents, call logs, privacy notices, policies, or breach letters. Strong evidence helps OCR evaluate credibility and scope.

File preparation checklist

• Redact nonessential identifiers and unrelated medical details before uploading.
• Use common formats (PDF, JPG, PNG) and clear filenames that describe the content.
• Attach only copies—keep originals for your records.

What not to include

• Avoid uploading entire medical charts unless they are directly relevant.
• Do not submit irreplaceable originals or files that contain others’ PHI unrelated to your complaint.

Review and Submit Complaint

Carefully review each answer for accuracy. Certify that your statements are true, then sign electronically and submit. After submission, you should receive confirmation and a tracking or case number—save it for your records.

After you submit: what to expect

• OCR conducts an initial review to confirm jurisdiction and whether the facts, if true, would violate HIPAA.
• Depending on the case, OCR may seek more information, provide technical assistance, open a formal investigation, or close the matter.
• Enforcement procedures can include voluntary compliance, corrective action plans, resolution agreements, or, in certain circumstances, civil monetary penalties or referrals.

Conclusion

Reporting a HIPAA concern online is straightforward when you prepare key facts, identify the covered entity or business associate, and include clear violation documentation. The OCR Complaint Portal guides you through each step so your Protected Health Information concerns can be reviewed under the HIPAA Privacy Rule and Security Rule.

FAQs.

Can I report a HIPAA violation anonymously?

Yes. You can submit an anonymous complaint or ask OCR to keep your identity confidential. Keep in mind that anonymous complaints limit OCR’s ability to request follow-up details or provide updates, so include as much specific information and evidence as possible.

How long does OCR take to investigate a complaint?

Timeframes vary by complexity and workload. You may receive an acknowledgment soon after filing, while information-gathering and resolution can take weeks to several months. Some matters are addressed quickly through technical assistance; more complex investigations can take longer.

What information is required to file a HIPAA complaint?

You should provide your contact information (unless filing anonymously), the covered entity or business associate’s details, dates and locations, a clear description of what happened, how PHI was affected, and any supporting documents. Specifics about the HIPAA Privacy Rule or Security Rule issue help OCR assess the complaint.

Where can I find official instructions for reporting HIPAA violations online?

Official instructions are available in the OCR Complaint Portal and on the Office for Civil Rights pages that explain how to report HIPAA violations online. Search for the portal by name to access step-by-step guidance.