How to Report a HIPAA Violation to the Office for Civil Rights

When you suspect a breach of Health Information Privacy, you can report it to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). This guide explains how to report a HIPAA violation to the Office for Civil Rights efficiently, what to include, and what to expect after you submit a complaint.

Before you file, confirm the organization is a Covered Entity or a Business Associate subject to HIPAA. Most complaints must be submitted within 180 days of when you knew of the violation, though OCR can accept late filings for good cause.

Filing a HIPAA Complaint

Who can file and when

You may file a complaint for yourself, for someone you legally represent, or as a witness. Complaints should be filed as soon as possible; the general deadline is 180 days from the date you learned of the conduct. If circumstances made timely filing difficult, explain the reason when you submit.

What conduct qualifies

HIPAA complaints commonly involve impermissible uses or disclosures of protected health information, refusal or delay beyond required time frames to provide access to records, inadequate safeguards, or failures to provide a Notice of Privacy Practices. Violations can occur in clinics, hospitals, health plans, pharmacies, and by vendors acting as a Business Associate.

Cost and representation

Filing is free. You do not need a lawyer. You can ask for language assistance or disability accommodations throughout the process.

Methods to File a Complaint

You can submit a complaint through one of three primary methods:

• Online using the OCR Complaint Portal (fastest and preferred).
• By mail using the HIPAA Complaint Form and supporting documents.
• By email by sending a completed HIPAA Complaint Form and attachments.

The sections below outline each option and what you will need to include.

Information Required for Complaint

Essential details to include

• Your name and contact information so OCR can communicate with you.
• The name, address, and type of organization (Covered Entity or Business Associate) you believe violated HIPAA.
• Key dates and a clear description of what happened and how it affected you.
• Any steps you took to resolve the issue with the organization, if applicable.
• Copies of relevant documents or screenshots; do not send originals unless requested.
• Your preference about OCR sharing your identity with the organization during the investigation.

Tips for a stronger submission

• Be specific and chronological. Identify who, what, when, where, and how.
• Attach only the minimum necessary protected health information to support your claim.
• Label attachments clearly (for example, “Timeline,” “Access Request,” “Response Letter”).
• If filing after 180 days, briefly explain good cause for the delay.

Filing Online via OCR Portal

Step-by-step

1. Access the OCR Complaint Portal and start a new HIPAA Complaint Form.
2. Enter your contact information and indicate whether you are filing for yourself or someone else.
3. Identify the organization as a Covered Entity or Business Associate and provide its details.
4. Describe the incident, including dates, locations, and the specific HIPAA rights or safeguards involved.
5. Upload supporting files (PDF, image files) and add brief descriptions for each.
6. Review your entries, acknowledge the certifications, and submit.
7. Save the confirmation number to track the status and for future correspondence.

The OCR Complaint Portal streamlines intake, reduces back-and-forth, and helps you avoid common errors. It is generally the quickest route to get your complaint in front of an investigator.

Filing by Mail or Email

Using the HIPAA Complaint Form

If you prefer not to use the portal, complete the HIPAA Complaint Form and attach your documents. Sign and date the form; if you represent someone else, include proof of authority. Keep copies of everything you send.

Mail and email submission tips

• Mail: Use a trackable service and retain the receipt. The postmark date can help establish timeliness.
• Email: Combine materials into a legible PDF. Use clear filenames and include your name and date in the subject line.
• Do not send original medical records unless OCR requests them. Provide copies or redacted excerpts.
• If you need an alternate format or accommodation, state your request in the cover note.

Retaliation Prohibited under HIPAA

HIPAA prohibits Covered Entities and Business Associates from intimidating, threatening, coercing, or discriminating against you for filing a complaint, participating in an investigation, or asserting your rights. If you experience retaliation related to your complaint, include those facts; OCR can address retaliation as a separate violation.

Retaliatory actions may include termination, denial of services, billing pressure, or harassment. Document dates, statements, and any written communications so OCR can evaluate and, if necessary, take Corrective Action.

Complaint Processing and Enforcement

What happens after you file

OCR first checks jurisdiction and timeliness. If the complaint is accepted, an investigator may contact you and the organization for more information. OCR can resolve matters through technical assistance, Voluntary Compliance commitments, or a formal Corrective Action plan with monitoring. In cases of persistent or willful noncompliance, OCR may seek civil money penalties.

How long it takes and how to help

Time frames vary based on complexity and cooperation. You can help by responding promptly to OCR requests, keeping your contact information current, and organizing your documents. OCR will notify you when the matter is closed and, where applicable, describe the resolution approach.

In short, to report a HIPAA violation to the Office for Civil Rights: confirm the entity is covered by HIPAA, gather clear facts, choose the OCR Complaint Portal or mail/email with the HIPAA Complaint Form, submit within 180 days when possible, and understand that anti-retaliation protections apply and enforcement can result in Voluntary Compliance or Corrective Action.

FAQs.

How do I file a HIPAA complaint with OCR?

Choose a filing method—preferably the OCR Complaint Portal—and complete the HIPAA Complaint Form with your contact details, the Covered Entity or Business Associate information, a factual description, dates, and supporting documents. Submit within 180 days of learning about the issue, or explain good cause for any delay.

What information is required to report a HIPAA violation?

You need your contact information, the name and address of the organization, whether it is a Covered Entity or Business Associate, a description of what happened with dates, any steps you took to resolve it, and relevant attachments. Indicate whether OCR may disclose your identity to the organization during the investigation.

Can I file a HIPAA complaint online?

Yes. The OCR Complaint Portal is the fastest way to submit and track a complaint. It guides you through the HIPAA Complaint Form, lets you upload evidence, and provides a confirmation number for follow-up.

What protections exist against retaliation when filing a complaint?

HIPAA forbids retaliation for filing a complaint, participating in an OCR investigation, or asserting your rights. If retaliation occurs, report it to OCR with dates and documentation; OCR can pursue additional remedies, including requiring Corrective Action.