How to Report a HIPAA Violation Online via HHS OCR: Step-by-Step Portal Guide

Access the OCR Complaint Portal

The OCR Complaint Portal is the official online system for reporting potential HIPAA Privacy, Security, or Breach violations to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). You use it to start a complaint submission, upload evidence, and receive a confirmation number for tracking.

Before you begin, confirm that the organization you plan to report is a covered entity (such as a doctor, hospital, clinic, pharmacy, health plan, or healthcare clearinghouse) or a business associate (a vendor or service provider that handles protected health information for a covered entity). HIPAA generally applies to these entities and their workforce members.

Quick start steps

• Open the portal and select the option to file a new HIPAA complaint.
• Choose the HIPAA topic that matches your concern (Privacy, Security, or Breach Notification).
• Review and accept the portal notices and consent acknowledgments to proceed.
• Decide whether to create an account for easier status checks or continue without one.

Prepare Required Information

Gathering complete, accurate details before you file makes the complaint submission faster and stronger. Aim for clear, factual descriptions supported by documents where possible.

Information to collect

• Your contact information (name, mailing address, phone, and email). If you represent someone else, note your relationship and authorization.
• Identification of each covered entity or business associate involved: legal name, location, and department or unit (if known).
• Dates of each incident, whether the issue is ongoing, and how you discovered it.
• A concise narrative of what happened, including who was involved, what PHI was affected, and how the event violated HIPAA standards.
• Relevant records: screenshots, letters, notices of privacy practices, breach notifications, policies, or emails that support your account.
• Names and contact details of witnesses or staff who may corroborate events.
• Any steps you already took (for example, contacting the provider’s privacy officer) and the responses you received.
• Whether you want OCR to keep your identity confidential from the entity, understanding that confidentiality may limit communication with you or the entity during the investigation process.

Tips for strong documentation

• Stick to facts, times, and dates; avoid speculation.
• Redact unrelated personal details before uploading documents.
• Group attachments logically (for example, timeline, emails, screenshots) and use clear file names.

Submit a Complaint Online

Once ready, walk through the portal screens carefully. Accuracy at this stage speeds OCR’s initial review and reduces follow-up requests.

Step-by-step

1. Enter your information or the information of the person you represent. Indicate preferences for communication and confidentiality.
2. Select the issue category and identify whether the subject is a covered entity, business associate, or both. You can add multiple entities if needed.
3. Provide the incident dates and mark if the practice is ongoing.
4. Describe what happened in a clear, chronological narrative. Explain how the conduct violates HIPAA and what harm or risk resulted.
5. Upload supporting files. Ensure attachments are legible and relevant to the complaint submission.
6. Answer screening questions (for example, whether the matter is in court or has been resolved) so OCR can confirm jurisdiction.
7. Review your entries, then certify and sign electronically that your statements are true and correct to the best of your knowledge.
8. Submit the complaint. Save or print the confirmation page and your complaint number for future reference.

After submission, monitor your email (and portal inbox, if you created an account) for OCR communications. Respond promptly to requests for more information.

Understand Filing Deadlines

HIPAA complaints generally must be filed within 180 days from when you knew, or should have known, about the violation. This complaint deadline can be extended if you show good cause for delay, such as serious illness, limited English proficiency without timely assistance, or delayed discovery of the issue.

For ongoing practices, the 180-day period typically runs from the most recent occurrence. If you are close to the deadline, submit immediately and explain any good-cause facts in your narrative or cover note.

Know Retaliation Protections

HIPAA prohibits covered entities and business associates from intimidating, threatening, coercing, discriminating against, or taking any other adverse action because you exercised your rights or filed a complaint with OCR. This is often referred to as HIPAA retaliation.

If you experience retaliation, document it and include those details in your complaint or in a supplemental submission. Keep emails, write down dates and statements, and note any changes to your job, services, or billing that occurred after you raised concerns.

Follow Complaint Processing

OCR first screens your complaint to confirm jurisdiction and timeliness. If appropriate, OCR opens an investigation process and notifies the entity. You may receive requests for clarification or additional evidence as the review proceeds.

What OCR may do

• Seek voluntary compliance or provide technical assistance to correct issues quickly.
• Negotiate corrective action plans or resolution agreements that require policy changes, training, monitoring, or other remedies.
• Assess civil monetary penalties when warranted by law and evidence.
• Close matters that lack sufficient evidence, fall outside HIPAA, or are resolved through early intervention.

At closure, OCR typically sends you a letter explaining the outcome. Timeframes vary based on complexity, responsiveness of the parties, and the scope of any corrective actions.

Contact OCR for Assistance

If you need help using the portal, require language assistance or disability accommodations, or prefer a different submission method, reach out to OCR for guidance. Staff can explain what information to include, how to structure your narrative, and how to reference your complaint number for status updates.

If you cannot file online, you can ask about submitting a paper or emailed complaint and what documents to include. Keep copies of everything you send and note the date you contacted OCR.

Conclusion

Reporting a HIPAA concern is straightforward when you prepare your facts, file through the OCR Complaint Portal, meet the complaint deadline, and keep records. If retaliation occurs, document it and notify OCR. Monitor communications, respond quickly, and retain your complaint number to follow the investigation process from start to finish.

FAQs

What information is needed to file a HIPAA complaint online?

You should have your contact details, the name and location of each covered entity or business associate involved, dates of the incident(s), a clear narrative of what happened, and any supporting documents or witness information. Indicate whether the issue is ongoing and whether you request confidentiality.

How long do I have to report a HIPAA violation?

Generally, you must file within 180 days of when you knew or should have known about the violation. OCR may extend this period if you provide good-cause reasons for a late filing, so submit as soon as possible and explain any delays.

Can I file a complaint anonymously?

You may submit without sharing your name, but providing contact information helps OCR request clarifications and update you. You can also ask OCR not to reveal your identity to the entity, though confidentiality can limit some communications during the investigation.

What happens after I submit a HIPAA complaint online?

OCR screens your complaint for jurisdiction and timeliness, then may open an investigation process. The entity is contacted, evidence is reviewed, and OCR may seek voluntary compliance, require corrective actions, or impose penalties. You will receive communication about the outcome when the matter is resolved.