How to Report HIPAA Violations: Who to Contact, Timelines, Requirements

Knowing how to report HIPAA violations helps protect patient privacy, stop ongoing risks, and trigger required actions under the HIPAA Breach Notification Rule. This guide explains who to contact, what to include in your report, and the timelines that apply so you can act quickly and correctly.

Reporting HIPAA Violations Internally

Start with your organization’s internal process. Covered entities and business associates are required to designate contacts to receive complaints and investigate incidents. Prompt internal reporting enables rapid containment and documentation.

Who to notify

• Privacy Officer or HIPAA Compliance Officer listed in your Notice of Privacy Practices or policy manual.
• Your supervisor or manager, if policies direct you to route concerns through leadership.
• Compliance hotline or anonymous reporting channel, if available.

What to include in your internal report

• What happened: a clear, factual description (viewed, used, disclosed, lost, or stolen PHI; systems involved).
• When and where it occurred, and who was involved (workforce, vendors, recipients).
• Types of PHI affected (e.g., names, dates of birth, diagnoses, SSNs), and estimated number of individuals.
• Immediate steps taken (device disabled, account locked, recipient contacted).
• Complaint Documentation such as emails, screenshots, audit logs, or photos—omit unnecessary PHI.

Special considerations

• Business associates should notify the covered entity without unreasonable delay and as required by contract (60 days is the federal outer limit for breaches).
• Patients and family members may report concerns to the organization’s listed contact or front desk, requesting escalation to the Privacy Officer.
• You may request confidentiality; only those who need to know should be informed during the review.

Reporting HIPAA Violations Externally

If internal resolution is unavailable, delayed, or the risk is serious, you may report externally. The primary federal enforcer of HIPAA is the U.S. Department of Health and Human Services’ Office for Civil Rights.

When to escalate

• Significant misuse or unauthorized disclosure of PHI.
• Pattern of noncompliance or ignored internal complaints.
• Threats, intimidation, or other barriers to internal reporting.

External options

• Office for Civil Rights (OCR) for HIPAA privacy, security, and breach issues.
• State Attorneys General or professional licensing boards for complementary enforcement under state law or professional standards, if applicable.
• Law enforcement if criminal activity is suspected (e.g., theft of devices or identity theft).

Filing a Complaint with OCR

You can file with OCR whether you are a patient, workforce member, or representative. Filing is free and can be done online through the OCR Complaint Portal or by mail, email, or fax.

How to submit

• Use the OCR Complaint Portal to enter details and upload documentation; you may also submit a written complaint.
• If filing for someone else, indicate your relationship and include authorization, if required.
• You may request that OCR keep your identity confidential to the extent possible.

When to submit

• File within 180 calendar days from when you knew or should have known of the violation.
• OCR may extend this deadline for good cause; explain any delay in your complaint.

What to expect after filing

• OCR reviews for jurisdiction and completeness, may contact you for more information, and can seek early resolution or conduct an investigation.
• Outcomes can include corrective action, a resolution agreement with monitoring, or closure if insufficient evidence.

OCR Complaint Requirements

Submitting a complete, well-organized complaint speeds review. Provide concise facts and attach relevant Complaint Documentation.

Essential elements to include

• Your name and contact information (or your representative’s), with any confidentiality request.
• Name of the covered entity or business associate and locations involved.
• Specific dates, what occurred, who was involved, and how PHI was accessed, used, or disclosed.
• Types of PHI involved and approximate number of affected individuals, if known.
• Steps taken internally (people notified, ticket numbers, dates) and any responses received.
• Supporting materials: policies, training records, audit logs, screenshots, correspondence.
• If filed late, a brief explanation of good cause for the delay.

Breach Notification to Affected Individuals

Under the Breach Notification Rule, covered entities must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. Business associates must promptly inform the covered entity so individual notices can be sent.

Content of the individual notice

• A brief description of what happened, including dates of breach and discovery.
• What information was involved (e.g., names, addresses, medical information, account numbers).
• Steps individuals should take to protect themselves (such as monitoring accounts or placing fraud alerts).
• What the organization is doing to investigate, mitigate harm, and prevent a recurrence.
• Contact methods for questions (toll-free number, email, postal address).

How notice must be delivered

• First-class mail to the last known address, or email if the individual has agreed to electronic notice.
• Substitute notice (e.g., website posting or media) if contact information is insufficient for 10 or more individuals; additional reasonable steps for urgent situations.

Breach Notification to HHS

In addition to notifying individuals, covered entities must notify the U.S. Department of Health and Human Services (HHS) about breaches.

Breaches affecting 500 or more individuals

• Notify HHS without unreasonable delay and no later than 60 calendar days after discovery.
• Notify prominent media outlets if the breach involves more than 500 residents of a single state or jurisdiction.

Breaches affecting fewer than 500 individuals

• Log all such breaches and report them to HHS no later than 60 days after the end of the calendar year in which they were discovered.

Role of business associates

• Business associates must notify the covered entity without unreasonable delay with details needed for the covered entity’s notices.

Retaliation Prohibited

Retaliation Protection applies when you report in good faith, oppose unlawful practices, or participate in an investigation. Covered entities and business associates may not intimidate, threaten, coerce, discriminate, or retaliate against you for exercising HIPAA rights.

Examples of prohibited retaliation

• Termination, demotion, reduced hours, or undesirable reassignment tied to your report.
• Harassment, threats, or requiring you to waive your right to file a complaint.

If you experience retaliation

• Document what happened (dates, witnesses, messages) and report it to the Privacy Officer or HIPAA Compliance Officer.
• File a complaint with OCR describing the retaliatory actions and your underlying report.

In summary, act quickly: report internally to the Privacy Officer or HIPAA Compliance Officer, escalate externally to the Office for Civil Rights when needed, meet the 180-day OCR deadline, and remember that the Breach Notification Rule sets strict timelines for notifying individuals and HHS. Preserve clear Complaint Documentation and rely on Retaliation Protection if you face pushback.

FAQs

Who is responsible for reporting HIPAA violations internally?

Every workforce member shares responsibility to report suspected violations promptly, typically to the organization’s Privacy Officer or HIPAA Compliance Officer. Managers must escalate concerns they receive, and business associates should alert the covered entity as required by policy and contract.

What is the deadline for filing a HIPAA complaint with OCR?

You generally must file within 180 calendar days from when you knew or should have known of the violation. OCR can extend this deadline if you show good cause for a delay.

How should a HIPAA complaint be submitted to OCR?

Submit online through the OCR Complaint Portal or send a written complaint by mail, email, or fax. Include the entity’s name, what happened, dates, your contact information, and any supporting documentation.

What protections exist against retaliation for reporting HIPAA violations?

HIPAA prohibits intimidation or retaliation against anyone who reports in good faith, participates in an investigation, or asserts HIPAA rights. If retaliation occurs, document it and file a complaint with OCR in addition to using internal channels.