How to Report a HIPAA Violation: Step-by-Step Guide to Filing a Complaint with HHS OCR

Reporting a suspected HIPAA violation protects your privacy and helps keep the health care system accountable. This guide walks you through eligibility, what to document, how to submit through the OCR Complaint Portal or by form, your rights against retaliation, and what to expect under HIPAA Enforcement Procedures.

Determine Eligibility

Confirm HIPAA jurisdiction

HIPAA applies to covered entities—health care providers, health plans, and health care clearinghouses—and to their vendors that handle protected health information (PHI), known as business associates. If the incident involves one of these organizations, it falls within HIPAA and the Office for Civil Rights (OCR) can review it.

Ask yourself: Did the organization have access to PHI as part of treatment, payment, or operations? If so, the issue concerns Covered Entity Compliance or Business Associate Responsibilities. If the organization is outside HIPAA (for example, many consumer apps that are not acting for a covered entity), OCR may lack jurisdiction, though other laws could still apply.

Check timeliness

Complaints generally must be filed within 180 days from when you knew of the potential violation. If you missed that window for a good reason, explain why—OCR can extend deadlines for good cause.

Know who can file

You can file on your own behalf, as a parent/guardian or personal representative, or as someone who reasonably believes a violation occurred. You do not have to be the patient, but you should be able to identify the organization and describe what happened.

Identify the rule at issue

Most complaints involve the Privacy Rule (improper use or disclosure of PHI), Security Rule (lack of safeguards for electronic PHI), or Breach Notification Rule (failure to notify after a breach). You do not need to cite the rule to file, but connecting your facts to one of these helps OCR assess Covered Entity Compliance.

Gather Incident Information

Capture the essentials

• Who: the name of the covered entity or business associate, and the individuals involved.
• What: a clear description of what occurred and why you believe it violates HIPAA.
• When/Where: dates, times, and locations (or systems) where the incident occurred.
• How: the method of disclosure or lapse (e.g., unencrypted email, improper access, overheard conversation, misdirected fax).

Document supporting evidence

Collect emails, letters, portal messages, screenshots, audit logs you were given, and notes of conversations (with dates). Keep originals and provide copies. If multiple incidents occurred, build a timeline so OCR can see patterns.

Note the impact and response

Briefly describe any harm (e.g., embarrassment, identity theft risk) and what you did after discovering the issue (internal complaint numbers, names of staff you notified, and any response you received). This shows you tried to resolve the issue and helps OCR focus its review.

Protect your own privacy

Share only the PHI that is necessary to explain the incident. Redact unrelated medical details from attachments. If you have safety concerns, you may request that OCR keep your identity confidential to the extent the investigation allows.

File the Complaint

Fastest method: OCR Complaint Portal

The OCR Complaint Portal is the quickest way to file and track a complaint. Set aside 15–30 minutes and prepare your narrative in advance so you can paste it in. Steps typically include:

1. Enter your contact information and preferred communication method.
2. Identify the organization(s): name, location, and whether it is a covered entity or a business associate.
3. Select HIPAA as the law involved and describe the incident clearly and chronologically.
4. Upload evidence (limit sensitive data to what is necessary to explain the issue).
5. Explain timing: when you learned of the incident and why any delay occurred.
6. Certify, sign electronically, and submit. Save your confirmation number.

Alternative: Health Information Privacy Complaint Form

If you prefer not to use the portal, complete the Health Information Privacy Complaint Form and submit it by mail or fax as instructed on the form. Sign and date the form, include copies of evidence, and keep a full copy for your records. This option is useful when you cannot upload files or need a paper trail.

Tips to avoid delays

• Stick to facts—who/what/when/where/how—and avoid long opinion sections.
• Name all entities involved, including any vendors, to address Business Associate Responsibilities.
• Use dates for each event and reference your attachments in the narrative.
• Request disability or language accommodations if needed so OCR can communicate effectively with you.

Understand Retaliation Protections

Your right to be free from retaliation

Covered entities and business associates are prohibited from intimidating, threatening, coercing, discriminating, or taking other adverse action against you for exercising your HIPAA rights or for filing a complaint. This Retaliation Prohibition includes actions at work, in treatment settings, or in plan enrollment and coverage decisions tied to your complaint.

If retaliation occurs

Document what happened, who was involved, dates, and any witnesses. You can include retaliation details in your original complaint or submit a new complaint referencing the first one. Keep pay stubs, schedules, billing records, denial letters, or messages that show adverse actions linked to your complaint.

Practical safeguards

• Communicate in writing when feasible to create a clear record.
• Store evidence outside your workplace if the complaint involves your employer.
• Limit disclosures to what is necessary to assert your rights; do not share unrelated PHI.

Follow Investigation Process

What happens after you file

OCR first conducts intake to confirm jurisdiction, timeliness, and whether your facts—if true—could violate HIPAA. You may receive a request for clarification or additional documents. If OCR lacks jurisdiction, it may close the matter or refer you to another agency as appropriate.

Possible paths to resolution

• Technical assistance: OCR educates the organization to fix a limited or first-time issue.
• Voluntary compliance: the entity agrees to corrective steps and reports back to OCR.
• Resolution agreement and corrective action plan: detailed commitments, monitoring, and reporting.
• Civil money penalties: in serious or uncorrected cases as part of HIPAA Enforcement Procedures.
• No violation found: OCR closes the case when evidence does not support a HIPAA issue.

Timeline and communication

Investigations vary based on complexity and caseload. Straightforward matters can resolve in a few months; complex, multi-incident cases may take longer. Respond promptly to OCR letters and keep your contact details current to avoid delays.

After the decision

OCR will notify you when it closes the case and, where permitted, describe the resolution. If problems continue, you can submit a new complaint with the updated facts and reference the prior OCR case number.

Bottom line: if your facts involve PHI and a covered entity or business associate, file promptly with complete, well-organized details. That gives OCR what it needs to apply HIPAA Enforcement Procedures effectively.

FAQs.

What qualifies as a HIPAA violation?

A HIPAA violation occurs when a covered entity or business associate fails to protect PHI or uses/discloses it in a way the Privacy, Security, or Breach Notification Rules do not permit. Examples include snooping in records without a job need, sharing PHI without authorization where no exception applies, losing unencrypted devices with PHI, or failing to provide required breach notifications. Systemic gaps—like missing risk analyses or inadequate access controls—also indicate noncompliance.

How do I submit a complaint to HHS OCR?

Submit online through the OCR Complaint Portal for the fastest processing, or complete and mail/fax the Health Information Privacy Complaint Form. Provide your contact information, name the organization(s), describe what happened with dates, attach evidence, and certify your statement. Aim to file within 180 days of discovering the incident, and request accommodations if you need help communicating with OCR.

What protections exist against retaliation?

HIPAA’s Retaliation Prohibition bars covered entities and business associates from punishing you for asserting your HIPAA rights or assisting an OCR investigation. That includes threats, harassment, termination, demotion, denial of services, or changes in coverage tied to your complaint. If retaliation occurs, document it and report it to OCR as part of your complaint.

How long does the OCR investigation take?

There is no fixed duration. Many cases take several months; complex investigations or those requiring corrective action plans can take longer. Timely responses to OCR requests and a clear set of facts and attachments can help move your case forward.