How to Submit a HIPAA Complaint Online: A Step-by-Step Guide

This step-by-step guide shows you how to submit a HIPAA complaint online through the OCR Complaint Portal. You will learn what qualifies as a violation, what information you must provide, and how to track your case while protecting your confidentiality.

Overview of HIPAA Complaints

HIPAA gives you rights over your protected health information and requires safeguards by every HIPAA covered entity and its business associate partners. If you believe your privacy, security, or access rights were violated, you can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR).

Common issues include impermissible disclosures, failure to provide timely access to records, lack of safeguards, or uses of data beyond treatment, payment, or operations. Anyone may file—patients, family members, employees, or representatives—so long as the complaint describes a potential HIPAA violation.

OCR investigates complaints, resolves many through early resolution, and may require corrective actions. Filing promptly with accurate details increases the chance of an efficient review.

Methods to File a HIPAA Complaint

You can file in several ways. Choose the option that fits your needs and any accessibility requirements, but online filing is usually the fastest.

• Online via the OCR Complaint Portal: upload documents, answer screening questions, and receive confirmation immediately.
• Mail or fax: send a signed letter or form with all complaint submission requirements; processing may take longer.
• Email: submit a signed, scanned complaint with attachments; keep sensitive data secure when sending.
• Assistance from a representative: an advocate or attorney can file for you with written authorization.

When filing, you may request complainant confidentiality so OCR does not share your identity with the entity if it can investigate without doing so. Note that requesting confidentiality can limit what OCR can disclose to you about the investigation.

Using the OCR Complaint Portal

Step 1: Gather facts and documents

Collect the names of the HIPAA covered entity and any business associate involved, dates of the incident, what happened, and how it affected you. Assemble supporting items such as letters, emails, screenshots, or policies.

Step 2: Access the portal and start a new complaint

Open the OCR Complaint Portal and choose the option to submit a Health Information Privacy complaint. You can file without creating an account, or create one to save drafts and check status more easily.

Step 3: Complete screening questions

Answer brief prompts that confirm the issue relates to HIPAA and falls within OCR’s authority. If your matter belongs with another agency, the portal will direct you accordingly.

Step 4: Identify the respondent

Enter the legal name, location, and contact details of the covered entity or business associate. If multiple organizations are involved, list each one and describe their roles.

Step 5: Describe what happened

Provide a clear timeline, specific dates, who was involved, and the type of information affected. State any harm or risks and whether the issue is ongoing. Attach relevant files to support the facts.

Step 6: Provide your information and preferences

Enter your contact details, language or accessibility needs, and whether you request complainant confidentiality. Indicate if you authorize someone to communicate with OCR on your behalf.

Step 7: Certify and submit

Review your entries, electronically sign the certification, and submit. Save the confirmation page or case number; you will need it to follow up and check status.

Required Information for Complaints

Strong complaints meet OCR’s complaint submission requirements and make review faster. Prepare the following:

• Your name, mailing address, phone number, and email; or representative details with written authorization.
• The names and addresses of each HIPAA covered entity and any business associate involved.
• Dates of the alleged violation(s) and whether the problem is ongoing.
• A concise narrative describing what occurred, how HIPAA was violated, and the type of protected health information involved.
• Supporting documentation (e.g., denial letters, audit logs, emails, bills, notices, or policies).
• Your request for complainant confidentiality, if desired, and your preferred communication method.
• An electronic or handwritten signature certifying the information is true to the best of your knowledge.

Include only what is necessary to explain the facts. If you file for someone else, attach proof of authority such as a power of attorney or guardianship documents.

Complaint Submission Deadlines

The complaint filing deadline is generally 180 days from the date you knew, or should have known, about the alleged violation. If you miss this window, OCR may still accept your complaint if you show good cause for the delay.

Good cause examples include serious illness, incapacitation, difficulty obtaining records needed to understand the violation, or not learning of the violation until later. File as soon as possible and explain any delay clearly in your submission.

If the issue is continuing, note that in your complaint and provide the earliest and most recent dates. Timely filing protects your rights and helps OCR investigate effectively.

Prohibition of Retaliation

HIPAA’s retaliation prohibition forbids a covered entity or business associate from intimidating, threatening, coercing, or discriminating against you for filing a complaint, assisting an investigation, or exercising your HIPAA rights.

Retaliation can include firing, demotion, denial of services, higher charges, harassment, or refusal to provide records. Document any retaliatory acts, keep copies of communications, and report them to OCR as a separate concern.

Request complainant confidentiality if you fear retaliation, and consider using a trusted representative. Protections apply to patients, employees, and others who participate in the complaint process.

Checking Complaint Status

After submission, watch for an acknowledgment from OCR. If you created a portal account, log in to the OCR Complaint Portal to view updates, upload additional documents, and respond to information requests.

Investigations vary in length based on complexity and volume. Promptly answer any OCR inquiries, keep your contact information current, and note your case number for faster assistance.

Conclusion

To recap, gather clear facts, file through the OCR Complaint Portal, meet complaint submission requirements, observe the complaint filing deadline, and safeguard your rights under the retaliation prohibition. Tracking your case and responding quickly helps OCR resolve your complaint efficiently.

FAQs.

Can I file a HIPAA complaint online?

Yes. The fastest way is through the OCR Complaint Portal, which lets you answer screening questions, upload documents, request complainant confidentiality, and receive a confirmation number immediately.

What information is required to submit a HIPAA complaint?

Provide your contact information, the covered entity or business associate involved, the dates and facts of the incident, a clear narrative of what happened, and any supporting documents. You must also certify your statement and indicate whether you request confidentiality.

How long do I have to file a HIPAA complaint?

Generally, you have 180 days from when you knew or should have known about the violation. OCR may accept late complaints if you show good cause, so explain any delay in your submission.

Is retaliation allowed after filing a HIPAA complaint?

No. HIPAA prohibits retaliation for filing a complaint, helping with an investigation, or asserting your rights. If retaliation occurs, document it and report it to OCR as a separate issue.