Step-by-Step Guide to Filing a HIPAA Compliance Report

If you believe your privacy or security rights were violated, this step-by-step guide to filing a HIPAA compliance report shows you exactly how to prepare, submit, and follow through. You will learn who can file, what to include, where to file, and how the review process works.

Throughout, you will see key terms such as Protected Health Information, HIPAA Privacy Rule, and OCR Complaint Portal used in context so you can file a clear, effective complaint the first time.

Understanding HIPAA Complaint Eligibility

Who can file

Anyone who believes a covered entity or its business associate violated HIPAA may file a complaint. You can file for yourself, as a personal representative, or on behalf of someone else with appropriate authorization.

What conduct qualifies

Complaints typically allege improper use or disclosure of Protected Health Information, denial of access to records, inadequate safeguards, or failures to provide required notices under the HIPAA Privacy Rule and related standards. You may also complain about a business associate’s conduct tied to services performed for a covered entity, including issues described in Business Associate Agreements.

Who is subject to HIPAA

Covered entities include health care providers, health plans, and health care clearinghouses, plus their business associates. Consumer apps or organizations outside these categories may fall outside HIPAA, but you can still describe the facts and let the agency determine jurisdiction.

Meeting Complaint Requirements

Core elements

• Your name and contact information (or your authorized role if filing for someone else).
• The name of the covered entity or business associate you’re complaining about.
• A clear description of what happened, when it happened, and why you believe it violates HIPAA Privacy Rule protections or other requirements.
• Any steps you already took to resolve the issue and the responses received.
• Your signature or attestation if filing electronically.

Supporting materials

• Relevant correspondence, screenshots, notices, or policy excerpts that demonstrate the alleged violation.
• Documents related to Business Associate Agreements if they help show responsibility for handling PHI.
• A concise timeline highlighting key dates, people involved, and affected systems or locations.

Internal and external reporting

If you work for a covered entity or business associate, follow your organization’s Compliance Reporting Obligations while understanding that you may also report directly to the government without going through your employer.

Following the Filing Process

Step-by-step filing

• Prepare your facts: summarize events, list dates, identify witnesses, and compile attachments.
• Choose a submission method: the fastest is the OCR Complaint Portal; mail or other accepted methods are also available if you prefer paper.
• Complete all required fields, describe the suspected violation, and identify the entity and any business associates involved.
• Attest and submit: review for accuracy, sign or electronically attest, then submit.
• Save proof: capture your confirmation page or tracking number and store your full submission package.
• Respond promptly: if reviewers request clarifications or documents, reply quickly to keep the case moving.

After you file

Expect an acknowledgment and, if the matter proceeds, requests for additional details. Keep communications professional, factual, and concise.

Including Essential Information

What to include for clarity

• Who: the covered entity and any business associate that handled the PHI.
• What: the specific action or omission (for example, impermissible disclosure of Protected Health Information or denial of access).
• When and where: precise dates, times, locations, and systems involved.
• Why it matters: which obligations you believe were missed (for example, HIPAA Privacy Rule requirements or Breach Notification Requirements).
• Impact: how you were affected and whether the incident is ongoing.
• Evidence: emails, letters, screenshots, or policy excerpts that support your account.

Handling sensitive details

Include only the minimum necessary to explain the issue. Avoid sending originals; submit copies and keep the originals securely stored.

Complaint Documentation Retention

Maintain a complete file—your narrative, attachments, confirmation numbers, and all subsequent correspondence. Good Complaint Documentation Retention helps you answer follow-up questions and track outcomes over time.

Adhering to Filing Deadlines

You generally must file within 180 days of when you knew about the potential violation. If you are approaching the deadline, submit your complaint now and provide additional materials as requested.

Remember that Breach Notification Requirements apply to regulated entities, not to your filing deadline. If your complaint involves a breach, note when you were notified and include any notices you received as part of your evidence.

Recognizing Retaliation Protections

HIPAA prohibits covered entities and business associates from intimidating, threatening, coercing, or discriminating against you for filing a complaint or participating in an investigation. Retaliation can include service denials, fee increases, harassment, or adverse job actions.

If you suspect retaliation, document each incident with dates, names, and communications, and include this information in your complaint or a supplemental report.

Navigating Complaint Review Procedures

Initial review and jurisdiction

Reviewers assess whether the complaint is timely and within HIPAA’s scope. If accepted, they determine which rules may apply and whether to open an investigation.

Investigation and requests

The agency may seek records, policies, training logs, and technical details from the entity. You may be asked for clarifications; answer accurately and within stated time frames.

Outcomes you may see

• No violation found and closure with explanation.
• Technical assistance or corrective action by the entity.
• Resolution agreements or other enforcement measures if warranted.

Your role during review

Stay responsive, organized, and factual. Keep your Complaint Documentation Retention file up to date so you can supply information quickly.

Conclusion

Filing a HIPAA compliance report is straightforward when you know the rules, deadlines, and information to include. By using the OCR Complaint Portal, aligning your narrative with the HIPAA Privacy Rule and related obligations, and keeping thorough records, you strengthen your complaint and support an efficient review.

FAQs.

Who is eligible to file a HIPAA complaint?

Anyone who believes a covered entity or its business associate mishandled Protected Health Information or otherwise violated HIPAA may file. You can submit for yourself or, with proper authority, on behalf of someone else.

What information must be included in a HIPAA complaint?

Provide your contact details, the entity’s name, a clear description of what happened and when, why you believe it violates the HIPAA Privacy Rule or related requirements, and any supporting documents. Include business associate details and relevant notices if applicable.

How long do I have to file a HIPAA complaint?

In most cases, you have 180 days from when you knew about the potential violation. If you are close to the deadline, file immediately and supply additional details as requested.

What protections exist against retaliation for filing a complaint?

HIPAA bars retaliation by covered entities and business associates for filing or participating in a complaint. If retaliation occurs, document it and report it as part of your complaint or through a supplemental filing.