Reporting HIPAA Violations: How to File a Complaint (Steps, Deadlines, and What to Include)

When privacy or security safeguards fail, reporting HIPAA violations helps protect your health information and prompts corrective action. This guide walks you through filing a HIPAA complaint, what to include, key HIPAA complaint deadlines, and what to expect once your report is submitted.

Filing a HIPAA Complaint

Who can file and where complaints go

You may file a complaint with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) if you believe a covered entity or its business associate violated HIPAA. Covered entities include most health care providers, health plans, and health care clearinghouses; business associates handle protected health information (PHI) on their behalf. You can file for yourself or on someone else’s behalf as an authorized representative.

What conduct qualifies

Complaints may allege Privacy Rule violations (improper uses, disclosures, or denial of access to records), Security Rule breaches (inadequate administrative, physical, or technical safeguards for electronic PHI), or failures under the Breach Notification Rule (untimely or missing notifications after a breach of unsecured PHI). Describe the conduct clearly so OCR can determine which rule applies.

Deadlines to act

File as soon as possible. Generally, you must submit your complaint within 180 days of when you knew, or should have known, about the potential violation. OCR may extend HIPAA complaint deadlines if you show good cause for delay, but timeliness improves your chances of a full review.

If the issue isn’t HIPAA

Some problems—such as workplace surveillance unrelated to health coverage or a fitness app sharing data outside a covered entity relationship—may fall outside HIPAA. You can still explain why you believe HIPAA applies; OCR will confirm jurisdiction and, if needed, point you toward other avenues.

Information Required for Filing

Core details to include

• Your name and contact information (mailing address, phone, and email). You may submit without identifying yourself, but OCR is more likely to investigate if it can contact you.
• The name of the covered entity or business associate you believe violated HIPAA, plus any relevant departments or individuals.
• Dates and times of the incident(s) and whether the problem is ongoing.
• A concise description of what happened: what PHI was involved, how it was used or disclosed, and why you believe it violates the Privacy Rule, Security Rule, or Breach Notification Rule.
• Any steps you took to resolve the issue (e.g., requests for records, access denials, or security concerns raised internally) and the responses you received.
• Supporting materials: letters, emails, screenshots, portal messages, access logs, notices of privacy practices, breach letters, or policies.

Helpful context for breach-related complaints

• Whether you received breach notification, when it arrived, and what it said.
• Any known details about the incident (for example, ransomware, lost device, misdirected mailing) and whether mitigation was offered.
• Information suggesting gaps in covered entity reporting obligations (e.g., no notice despite a known incident).

Consent and signature

Online submissions use an electronic signature. For mailed complaints, sign your letter. If filing for someone else, include your authority (e.g., legal guardian, power of attorney) and any documentation establishing representation.

Filing a Complaint Online

Using the OCR Complaint Portal

The fastest way to report is through the OCR Complaint Portal. You will create or use a secure account, enter details about the covered entity, select the type of issue (Privacy Rule, Security Rule, or Breach Notification Rule), describe what happened, and upload documents. You can save progress, submit electronically, and receive a confirmation number.

Tips for a strong submission

• Organize a timeline. Tie each event to a date and identify who was involved.
• Map facts to the rule. For example, “denied right-of-access request” (Privacy Rule) or “unencrypted laptop with ePHI lost; no multi-factor authentication” (Security Rule breaches).
• Attach readable files. Use PDFs or clear images and label them (e.g., “Access Request 2025-01-10”).
• State the outcome you seek: access to records, correction, policy changes, or investigation.

Filing a Complaint in Writing

What to include in a mailed complaint

• Your and the entity’s contact information.
• Dates, a factual narrative, and which HIPAA rule you believe applies.
• Copies of supporting documents (do not send originals).
• Your signature and the date. If you are a representative, explain your relationship and authority.

Practical mailing tips

• Use clear, legible printing and page numbers.
• Include a cover page summarizing key facts and a document index.
• Keep a complete copy and proof of mailing for your records.

Retaliation Prohibited

Retaliation protections under HIPAA forbid covered entities and business associates from intimidating, threatening, coercing, discriminating against, or taking other retaliatory action because you filed a complaint, opposed unlawful practices, or participated in an investigation. Retaliation can include firing, demotion, harassment, denial of services, or policy-based penalties aimed at discouraging reports.

If you experience retaliation, document the action, preserve messages or write-ups, and include these details in your complaint. You can file a new complaint focused on retaliation or add it to your existing submission.

What Happens After Filing

Initial review and jurisdiction

OCR confirms it received your complaint, reviews it for completeness, and determines whether the facts—if true—would violate HIPAA and whether the respondent is a covered entity or business associate. If more information is needed, OCR will contact you.

Investigation and resolution paths

• Technical assistance: OCR may resolve minor or first-time issues by educating the entity and confirming corrective steps.
• Voluntary compliance or corrective action: The entity agrees to specific fixes—policy updates, training, access fulfillment, or security enhancements—and provides proof.
• Formal investigation: OCR gathers records, interviews witnesses, and assesses compliance with the Privacy Rule, Security Rule, and Breach Notification Rule.

Outcomes you may see

• Closure with no violation found or with corrective action taken.
• Resolution agreements and corrective action plans for systemic issues.
• Civil monetary penalties in serious or willful cases. OCR does not award individual damages; HIPAA does not create a private right of action for money under this process.

Covered entity reporting checks

In breach cases, OCR may review whether the entity met covered entity reporting duties—timely notices to affected individuals and required reporting to HHS (and, in some cases, to the media). Keep your contact information current so OCR can follow up quickly.

Bottom line

Overall, reporting HIPAA violations is straightforward: act within the deadline, provide a clear narrative with dates, attach evidence, and submit via the OCR Complaint Portal or by mail. Strong, well-organized complaints help OCR address Privacy Rule violations, Security Rule breaches, and Breach Notification Rule failures efficiently.

FAQs.

What information is required to file a HIPAA complaint?

Provide your contact details, the covered entity or business associate’s name, dates of the incident, a concise description of what happened, which HIPAA rule you believe was violated, and any supporting documents. If filing for someone else, include your authority to represent them. For breach issues, note whether you received notification and when.

How can I file a HIPAA complaint online?

Use the OCR Complaint Portal. Create or access your account, enter the entity’s information, select the issue type (Privacy Rule, Security Rule, or Breach Notification Rule), describe the facts, upload supporting files, and submit with an electronic signature. You’ll receive a confirmation number for tracking.

What is the deadline to report a HIPAA violation?

Generally, you must file within 180 days from when you knew, or should have known, of the potential violation. OCR can grant extensions for good cause, but filing promptly preserves details and improves review speed.

What happens after I file a HIPAA complaint?

OCR acknowledges your complaint, checks jurisdiction, and may request more information. It can provide technical assistance, seek voluntary corrective action, or open a formal investigation. Outcomes range from closure with corrective steps to resolution agreements or civil penalties. OCR does not award individual monetary damages.