How to Report a HIPAA Violation: Step-by-Step Guide and Where to File

Check out the new compliance progress tracker

Product Pricing Demo Video Free HIPAA Training
LATEST
video thumbnail
Admin Dashboard Walkthrough Jake guides you step-by-step through the process of achieving HIPAA compliance
Ready to get started? Book a demo with our team
Talk to an expert
Blog HIPAA How to Report a HIPAA Violation: Step-by-Step Guide and Where to File

How to Report a HIPAA Violation: Step-by-Step Guide and Where to File

Kevin Henry

HIPAA

February 13, 2024

6 minutes read
Share this article
How to Report a HIPAA Violation: Step-by-Step Guide and Where to File

Knowing how to report a HIPAA violation helps protect patient privacy and strengthens trust in healthcare. This step-by-step guide explains what qualifies as a violation, how to report concerns inside an organization, where and how to file with the Office for Civil Rights (OCR), what information you need, and how to address retaliation and anonymity while also navigating state-level options.

Understanding HIPAA Violations

What a violation is—and who must comply

HIPAA applies to covered entities (health plans, healthcare providers, and clearinghouses) and their business associates that handle protected health information (PHI). A HIPAA Privacy Rule violation occurs when PHI is used or disclosed without a valid authorization or permitted basis. Security Rule violations involve failing to safeguard electronic PHI. The HIPAA Breach Notification Rule requires entities to notify affected individuals, HHS, and sometimes the media when certain breaches occur.

Common examples

  • Accessing or sharing patient records without a treatment, payment, or operations purpose.
  • Discussing patient details in public areas or on unsecured messaging platforms.
  • Lost or stolen devices lacking encryption or other safeguards.
  • Ignoring patient rights to access, amend, or receive an accounting of disclosures.

Immediate steps to take

  • Document what happened: dates, times, locations, names, and any supporting records or screenshots.
  • Preserve evidence but do not improperly copy or further disclose PHI.
  • Report promptly—timeliness strengthens any investigation.

Reporting Internally Within Organizations

Start with internal channels when appropriate

Most organizations encourage healthcare compliance officer reporting first. Using internal avenues can lead to quick containment, corrective action, and workforce education while preserving evidence for any external investigation.

How to report internally

  • Notify the privacy or compliance officer, your supervisor, or use the organization’s hotline/portal.
  • Provide facts: who was involved, what PHI was affected, how it occurred, and immediate risk-reduction steps taken.
  • Request written confirmation of your report and a general description of next steps.

When to escalate

If internal responses are delayed, dismissive, or compromised by conflicts of interest—or if patient harm or widespread exposure is likely—consider external reporting to OCR without waiting for internal resolution.

Filing a Complaint with OCR

When to go to the federal regulator

File with the U.S. Department of Health and Human Services’ Office for Civil Rights when a covered entity or business associate may have violated HIPAA. The Office for Civil Rights complaint procedure accepts submissions from patients, personal representatives, workforce members, and others with direct knowledge.

Step-by-step: OCR Complaint Portal submission

  1. Identify the organization(s) that violated HIPAA and the date(s) you learned of the issue.
  2. Describe what happened, which rules you believe were violated (for example, a HIPAA Privacy Rule violation), and any steps you or the organization already took.
  3. Attach supporting materials (emails, letters, screenshots) that do not further disclose PHI unnecessarily.
  4. Provide your contact information so OCR can request details and update you; you may request confidentiality.
  5. Certify that your statements are true and submit. Keep a copy of your confirmation for your records.

What to expect after filing

  • Triage and jurisdiction check: OCR confirms the entity is subject to HIPAA and the complaint is timely.
  • Early resolution or investigation: OCR may seek voluntary compliance, request documents, and interview witnesses.
  • Outcomes: technical assistance, corrective action plans, negotiated settlements, or closure if insufficient evidence.

Complaint Filing Requirements

Core information OCR typically needs

  • Your name and contact information (or a confidentiality request).
  • Name and contact information for the organization(s) involved.
  • Dates you believe the violation occurred and the date you discovered it.
  • A clear narrative describing what happened and why it violates HIPAA.
  • Any supporting documents or witness information.
  • Whether you reported internally and any response you received.

Deadlines and timing

Generally, complaints should be filed within 180 days of when you knew of the violation. If you miss that window, explain the reason; OCR may extend the period for good cause.

Filing for someone else

If you are filing for a patient or another person, indicate your relationship and provide authorization or proof of personal representative status when available, so OCR can communicate with you about the case.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Addressing Retaliation Concerns

Your rights and protections

HIPAA retaliation protection prohibits covered entities and business associates from intimidating, threatening, coercing, discriminating against, or retaliating against anyone for filing a HIPAA complaint, assisting an investigation, or opposing unlawful practices.

Practical steps if you experience retaliation

  • Document retaliatory actions: dates, emails, performance reviews, schedule changes, or comments.
  • Report retaliation internally to compliance, HR, or legal counsel, and externally to OCR if needed.
  • Preserve evidence and maintain professionalism; avoid discussing PHI outside permissible channels.

Submitting Anonymous Complaints

Anonymous versus confidential

You can often report internally without revealing your identity, and you may ask OCR to keep your identity confidential. Filing without contact information can limit OCR’s ability to investigate and prevents status updates, but confidentiality requests allow you to participate while protecting your privacy to the extent allowed by law.

Tips to protect your identity

  • Use official reporting channels that accept confidential submissions.
  • Provide facts needed to investigate without revealing personal identifiers unnecessarily.
  • Avoid sharing details about your report with coworkers who do not need to know.

State-Specific Reporting Procedures

Why also consider state reporting

States may enforce additional health privacy, medical records, and patient-rights laws. Filing a state health department complaint filing can prompt faster local action, licensing review, or remedies available under state law.

Where to file at the state level

  • State health department or public health privacy office.
  • Professional licensing boards (medical, nursing, pharmacy, behavioral health).
  • State attorney general consumer protection or healthcare division.
  • Insurance department for health plan or insurer issues.

Coordinating federal and state actions

You may file with both OCR and state authorities. Share consistent facts, keep copies of submissions, and note any reference numbers. If a significant breach is involved, ask how your state coordinates with federal enforcement and whether parallel investigations will occur.

FAQs.

How do I file a HIPAA complaint with OCR?

Prepare a clear timeline and description of the incident, identify the organization(s) involved, gather supporting documents, and submit through the OCR Complaint Portal submission or by the other methods OCR accepts. Request confidentiality if needed, retain your confirmation, and respond promptly to any OCR follow-up.

What information is required in a HIPAA violation report?

Provide your contact details (or a confidentiality request), the organization’s name and contact information, dates of the incident and discovery, a factual narrative of what happened and why it violates HIPAA, and any supporting evidence or witness details. Note whether you reported internally and any response received.

Can I report a HIPAA violation anonymously?

You can often report internally without disclosing your identity and ask OCR to keep your identity confidential. Fully anonymous filings may limit investigation and prevent updates, but you should still include enough facts for regulators to identify the organization and what occurred.

What protections exist against retaliation for reporting HIPAA violations?

HIPAA retaliation protection prohibits covered entities and business associates from punishing or intimidating you for reporting, cooperating with OCR, or opposing unlawful practices. Document any adverse actions, report them internally and to OCR, and preserve evidence to support your claim.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles

Comparing Popular HIPAA-Compliant Telehealth Tools
HIPAA Oct 01, 2025

Comparing Popular HIPAA-Compliant Telehealth Tools

Choosing among HIPAA-compliant telehealth tools comes down to how well each platform fits your cl...

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations
HIPAA Oct 01, 2025

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations

You rely on cloud storage to keep Protected Health Information (PHI) available and secure, yet a ...

Examples of Physical Safeguards in HIPAA-Compliant Clinics
HIPAA Oct 03, 2025

Examples of Physical Safeguards in HIPAA-Compliant Clinics

Facility Access Controls. To protect Electronic Protected Health Information (ePHI), you need la...