Navigating the HIPAA Complaint Process: A Step-by-Step Guide

Filing a HIPAA Complaint

Who can file and when

If you believe a covered entity or business associate mishandled protected health information, you can start HIPAA violation reporting. Patients, personal representatives, workforce members, and others with first-hand knowledge may file.

Submit your complaint as soon as possible. Generally, you must file within 180 days of when you knew—or reasonably should have known—about the potential violation. Extensions may be granted for good cause, so explain any delay.

What to include

• Your name and contact information (or your representative’s).
• The name of the organization and location involved.
• Specific dates, a clear description of what happened, and how your rights were affected.
• Any witnesses, case numbers, screenshots, letters, or relevant records.
• Whether the issue is ongoing and if you tried to resolve it directly.

Provide enough detail for investigators to understand the event, but avoid sharing unnecessary sensitive data. Attach only what supports the allegation.

Where to file

For Privacy, Security, and Breach Notification issues, file with the U.S. Department of Health and Human Services Office for Civil Rights (OCR), including via the OCR complaint portal. For transaction standards, code sets, identifiers, or operating rules, use the CMS process described below under administrative simplification enforcement.

Filing Methods

Electronic submission

You can file electronically using the OCR complaint portal. Online filing guides you through required fields, allows document uploads, and speeds intake. Keep confirmation numbers for your records.

Mail, email, or fax

OCR also accepts complaints by mail, email, or fax using its standard form. If you choose a paper route, include all supporting materials and ensure your submission is signed and dated.

Representation and accessibility

You may authorize someone to file on your behalf. Interpretation services and disability accommodations are available on request so you can submit a complete, accessible complaint.

Complaint Review Process

Intake and jurisdiction

OCR screens your complaint for timeliness, jurisdiction, and sufficiency. If it lacks key facts, you may be asked for more information. Non-jurisdictional matters may be referred to the proper agency.

Complaint investigation procedures

When OCR opens a case, investigators request records, interview witnesses, and assess compliance controls. They evaluate risk, harm, and whether the entity met HIPAA requirements, including safeguards and breach response duties.

Findings and outcomes

Outcomes range from technical assistance and voluntary corrective action plans to resolution agreements and monitoring. In cases of willful neglect or persistent noncompliance, civil monetary penalties may be imposed.

Retaliation Prohibition

Your right to be free from retaliation

Covered entities and business associates may not intimidate, threaten, coerce, or discriminate against you for filing a complaint, assisting an investigation, or opposing unlawful practices.

If retaliation occurs

Document the conduct and report it to OCR as part of your case or in a new complaint. Retaliation itself can trigger enforcement and remedial measures.

Documentation Requirements

Evidence to gather

• A concise timeline with dates and people involved.
• Copies of notices, forms, authorizations, or communications that show what happened.
• System messages, portal screenshots, billing statements, or breach notices tied to the incident.

Submit legible copies and retain originals. Redact unrelated sensitive details when possible.

Complaint documentation retention

Keep your submission, correspondence, and confirmations until the case closes and for your records thereafter. Organize files by date so you can quickly respond to investigator requests.

Complaint Resolution Timeline

Filing deadline vs. investigation length

The filing deadline is generally 180 days from discovery of the issue. Investigation times vary: some matters resolve in weeks with technical assistance, while complex cases can take months or longer.

After resolution

OCR issues a closure or resolution letter explaining the outcome. If systemic issues are found, the entity may adopt corrective action plans and undergo monitoring. Penalties are possible when warranted.

Filing a Complaint with CMS

When CMS is the right venue

Use CMS for administrative simplification enforcement involving transaction standards (e.g., X12), code sets, identifiers (NPI), EFT/ERA, and operating rules. These are different from privacy or security violations handled by OCR.

How to file with CMS

Submit electronically through CMS’s Administrative Simplification complaint process. Provide who is out of compliance, a description of the standard at issue, sample transactions or error messages, dates, and contacts for the trading partner.

Potential outcomes

CMS may provide education, require corrective actions, or take enforcement steps. Patterns of noncompliance can prompt broader outreach, corrective action plans, or civil monetary penalties when appropriate.

Key takeaways

• Direct privacy, security, and breach issues to OCR; transaction and operating rule problems to CMS.
• File promptly, include specific facts, and organize evidence to streamline review.
• Expect education or corrective action for many cases, with penalties reserved for serious or willful violations.

FAQs

How do I file a HIPAA complaint?

Decide whether the issue is privacy/security/breach (file with OCR) or administrative simplification (file with CMS). Gather dates, names, what occurred, and supporting documents. Submit electronically via the OCR complaint portal or CMS’s online system, or use mail/email options where available.

What is the deadline for filing a HIPAA complaint?

You generally must file within 180 days of when you knew or should have known about the potential violation. If you missed that window, explain the reason; agencies may grant extensions for good cause.

Can I file a complaint electronically?

Yes. OCR accepts electronic submissions through its complaint portal, and CMS accepts online filings for administrative simplification issues. Electronic filing speeds intake and lets you upload evidence.

What happens after a complaint is filed?

The agency screens for jurisdiction and timeliness, then may open an investigation. Investigators gather evidence, request records, and assess compliance. Outcomes include technical assistance, corrective action plans, resolution agreements, and, in serious cases, civil monetary penalties. Retaliation for filing is prohibited.