How to Report HIPAA Violations: Official Agencies, Deadlines, and Best Practices

If you suspect protected health information (PHI) was mishandled, you need to know whom to contact, when to act, and what to include. This guide explains the Office for Civil Rights complaint process, the HIPAA breach notification rule, and state and federal steps so you can report confidently and on time.

Reporting to the Office for Civil Rights

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) enforces HIPAA’s Privacy, Security, and Breach Notification Rules. Report suspected violations by covered entities (health plans, providers, clearinghouses) and their business associates.

HIPAA complaint filing deadlines generally require you to submit a complaint within 180 days of when you knew—or should have known—of the violation; OCR can extend this for good cause. Outcomes may include technical assistance, corrective action plans, or civil monetary penalties against the entity.

• Report issues such as unauthorized disclosures, failure to safeguard ePHI, denial of right of access, lack of breach notification, or intimidation/retaliation.
• Provide facts, not conclusions: who was involved, what happened, when and where it occurred, and how it affected PHI.
• Keep copies of policies, notices, emails, and audit logs that support your allegation.

Filing a Complaint Electronically

The fastest route is OCR’s electronic complaint portal, which streamlines the Office for Civil Rights complaint process. You may also submit by mail or email, but online filing speeds intake and tracking.

1. Verify jurisdiction: confirm the organization is a HIPAA covered entity or business associate. If not, see the Federal Trade Commission health breach notification and state options below.
2. Gather details: your contact information (optional), the entity’s name and address, dates of the incident, what occurred, which HIPAA provisions you believe were violated, and supporting documents.
3. Complete the electronic form: you can file for yourself, for someone else, or on behalf of a group.
4. Acknowledge the 180‑day deadline and attest that your submission is accurate to the best of your knowledge.
5. Save the confirmation and retain a copy of everything you submitted for your records.

You may file anonymously, but anonymity can limit OCR’s ability to investigate and to communicate with you. Disclose only the minimum necessary PHI; redact extraneous identifiers in attachments.

After intake, OCR may request more information, offer technical assistance, open a formal investigation, or close the matter if it lacks jurisdiction or evidence. HIPAA does not provide private monetary damages to complainants.

Breach Notification Deadlines

When unsecured PHI is breached, covered entity reporting obligations under the HIPAA breach notification rule are time‑sensitive. “Discovery” is the date the breach is known—or should reasonably have been known—to the entity or business associate.

Notice to affected individuals

Notify each affected individual without unreasonable delay and in no case later than 60 calendar days after discovery. The notice must describe what happened, types of PHI involved, steps individuals should take, what you are doing to mitigate harm, and contact information.

Notice to HHS

• 500 or more individuals affected: notify HHS without unreasonable delay and no later than 60 days after discovery.
• Fewer than 500 individuals: log each breach and report to HHS no later than 60 days after the end of the calendar year in which the breach was discovered.

Notice to media

If a breach involves 500 or more residents of a single state or jurisdiction, notify prominent media outlets in that area within 60 days of discovery.

Business associate duties

A business associate must notify its covered entity without unreasonable delay and no later than 60 calendar days after discovery, identifying each affected individual and supplying information the covered entity needs for notices.

Documentation and retention

Conduct and document a risk assessment, maintain a breach log, and retain investigation records and policies for at least six years. If law enforcement requests a delay, document the request; otherwise, do not postpone notices beyond the 60‑day ceiling.

Reporting to the Federal Trade Commission

For organizations not regulated by HIPAA—such as direct‑to‑consumer health apps, connected devices, or personal health record (PHR) services—the Federal Trade Commission health breach notification rule may apply.

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• If 500 or more individuals are affected, notify the FTC as soon as possible and in no case later than 10 business days after discovery, and notify media in the affected jurisdiction.
• If fewer than 500 are affected, maintain a breach log and submit an annual summary to the FTC within 60 days after the end of the calendar year.

Entities subject to HIPAA follow the HIPAA breach notification rule. Consumers may still report deceptive or unfair health‑data practices by non‑HIPAA companies to the FTC.

Notifying State Health Departments

States have their own privacy and data‑breach statutes, and many facilities are licensed by state health departments. Several states accept complaints and conduct state health department HIPAA enforcement alongside the attorney general.

Review your state’s breach law for whom to notify, threshold triggers, and timing. Many require notice to affected residents and, in some cases, to the attorney general or health department. Deadlines often range from “without unreasonable delay” to fixed windows (commonly 30–60 days) and may specify content and formatting.

Coordinate timelines so state notices align with HIPAA and—if applicable—FTC requirements. Ensure consistent facts across all notices and tailor them to each jurisdiction’s definitions and thresholds.

Best Practices for Reporting

A disciplined process reduces risk and speeds resolution. Use these steps when reporting HIPAA violations or breaches.

• Confirm jurisdiction: determine whether the organization is a covered entity, business associate, or non‑HIPAA health app.
• Contain and preserve: secure systems, limit further exposure, and retain logs, emails, screenshots, and audit trails.
• Build a precise timeline: the discovery date drives HIPAA complaint filing deadlines and breach notification clocks.
• Share the minimum necessary: document who, what, when, where, and how; avoid speculation and over‑disclosure of PHI.
• Document decisions: record your risk assessment, mitigation actions, and the rationale for notifying—or not notifying—each audience.
• Coordinate across agencies: align the Office for Civil Rights complaint process with state and Federal Trade Commission health breach notification obligations.
• Communicate clearly: use plain‑language notices with actionable steps for affected individuals.
• Retain records for at least six years to meet HIPAA documentation requirements.

Whistleblower Protections under HIPAA

HIPAA’s anti‑retaliation rule prohibits covered entities and business associates from intimidating, threatening, coercing, or discriminating against anyone for filing a complaint, assisting an OCR investigation, or opposing unlawful practices in good faith.

HIPAA also allows limited disclosures of PHI by workforce members who believe, in good faith, that an entity’s conduct is unlawful or endangers patients. You may disclose to OCR, to a state oversight agency or attorney general, or to an attorney to obtain legal advice—using only the minimum necessary information.

Other laws may also provide whistleblower retaliation protection. Preserve evidence, keep contemporaneous notes, and seek guidance if you fear retaliation. Taken together, these safeguards help you report concerns while protecting your career and patient privacy.

FAQs.

Which agency handles HIPAA violation complaints?

HHS’s Office for Civil Rights is the primary agency for HIPAA violation complaints. State attorneys general may also enforce HIPAA and related state laws, and the FTC addresses non‑HIPAA health‑data issues involving consumer health apps and PHR services.

How soon must HIPAA breaches be reported to HHS?

For breaches affecting 500 or more individuals, report to HHS without unreasonable delay and no later than 60 calendar days after discovery. For fewer than 500 individuals, log each breach and report to HHS within 60 days after the end of the calendar year in which the breach was discovered.

Can HIPAA complaints be filed anonymously?

Yes. You can submit a complaint without your name, but anonymity may limit OCR’s ability to investigate and to update you. Providing contact information helps OCR seek clarifications while still protecting your privacy to the extent allowed by law.

What are the protections against retaliation for reporting HIPAA violations?

HIPAA prohibits retaliation for filing a complaint or participating in an investigation, and it allows good‑faith disclosures to OCR, oversight agencies, or an attorney using the minimum necessary PHI. Additional federal and state laws may offer further protections against whistleblower retaliation.