Step-by-Step Guide to Filing a HIPAA Privacy Complaint

Determine Eligibility

Confirm OCR jurisdiction

Before you file a HIPAA privacy complaint, make sure the organization is subject to HIPAA and the Office for Civil Rights (OCR) has authority to review it. HIPAA applies to a covered entity—health plans, health care clearinghouses, and most health care providers that transmit data electronically—or to a business associate that performs services involving protected health information for a covered entity.

Check that the issue is HIPAA-related

Eligible issues include uses or disclosures of protected health information without permission, denial of access or amendments to your records, failure to safeguard PHI, retaliation for exercising rights, or problems with a HIPAA violation notification after a breach. Concerns about non‑medical apps or employers may fall outside HIPAA unless they act as a covered entity or business associate.

Who can file

You can file for yourself, as a personal representative, or as any individual who believes a HIPAA violation occurred. You do not need an attorney to submit a complaint.

Gather Information

Collect facts and documents

Assemble a concise record of what happened and when. A clear, well‑organized submission helps OCR assess your allegations efficiently and supports an accurate complaint processing timeline.

• Names and contact details for you and the organization (and any involved department or location).
• Dates of each event, including discovery and any breach or HIPAA violation notification you received.
• Description of what occurred, who was involved, and how PHI was used, disclosed, or withheld.
• Type of protected health information affected (for example, diagnoses, billing, medications).
• Copies of relevant communications, policies, screenshots, letters, and witness details.

Organize your timeline

Create a simple chronology noting the first event, follow‑up contacts, and responses. This makes it easier to demonstrate timeliness and show the scope of the alleged violation.

File the Complaint Electronically

Use the OCR Complaint Portal

The fastest way to submit a HIPAA privacy complaint is online through the OCR Complaint Portal. The portal guides you through required questions and allows you to upload supporting files.

1. Identify the organization as a covered entity or business associate.
2. Enter your contact information and preferred communication method.
3. Describe what happened, when it occurred, and which rights you believe were violated.
4. Attach documents that support your account, including any HIPAA violation notification letters.
5. Review, certify the information is true, and submit the complaint.

Tips for a complete online filing

• Use specific dates and names; avoid generalities like “sometime last year.”
• Combine multiple related events in one narrative, but separate unrelated issues.
• Redact unrelated sensitive data before uploading attachments.

File the Complaint In Writing

Health Information Privacy Complaint Form

If you prefer paper, complete the Health Information Privacy Complaint Form. You can also write a signed letter that includes the same information the form requests if the form is unavailable to you.

Submission options

• Mail: Send the completed form or letter to the appropriate OCR regional office.
• Email or fax: Follow OCR instructions for electronic submission of written complaints.
• Keep copies: Retain a copy of everything you submit for your records.

Include Necessary Details

What to include

• Your name, mailing address, phone, and email.
• Organization’s full name, address, and role (covered entity or business associate).
• Dates of the incident(s) and when you learned of them.
• Clear description of what occurred and how protected health information was involved.
• Any steps you took to resolve the issue and the organization’s response.
• Copies of relevant policies, emails, letters, or HIPAA violation notification documents.
• Impact on you and the outcome you seek (for example, access, correction, security improvements).

Make it easy to understand

Use short paragraphs and headings in your narrative, label attachments, and reference them in the text. Precision improves the quality and speed of review.

Submit Within Timeframe

Know the filing deadline

Generally, you should file within 180 days of when you knew an act or omission occurred. If you missed the 180‑day window, explain any good cause for delay so OCR can consider an extension.

Timeliness tips

• Record discovery dates, not just incident dates.
• File promptly even if you are still gathering documents—you can supplement later.
• If the issue involves breach notices, note when the HIPAA violation notification arrived or should have arrived.

Await OCR Response

What happens after you submit

The Office for Civil Rights (OCR) acknowledges receipt, screens for jurisdiction and timeliness, and decides whether to open an investigation, seek an early resolution, provide technical assistance, or refer the matter elsewhere. You may be asked for more information during this process.

Typical complaint processing timeline

Timeframes vary with complexity, evidence, and cooperation. Many matters resolve through technical assistance or early resolution, while formal investigations can take longer and may lead to corrective action plans or other remedies. OCR notifies you in writing when it closes the case.

Stay engaged

• Respond quickly to OCR requests for clarification or documents.
• Provide updates if you receive additional records or communications from the organization.
• Retain OCR correspondence and your case number for reference.

Conclusion

To file a HIPAA privacy complaint effectively, confirm eligibility, compile clear facts, submit via the OCR Complaint Portal or the Health Information Privacy Complaint Form, meet the 180‑day deadline, and monitor communications. A precise record and well‑organized evidence support a smoother complaint processing timeline and a more efficient resolution.

FAQs.

What entities are eligible for a HIPAA complaint?

You can file against a covered entity—such as a health plan, health care clearinghouse, or most health care providers that transmit information electronically—or a business associate that handles protected health information on a covered entity’s behalf. Vendors or apps are only covered if they meet these roles.

How do I submit a HIPAA complaint online?

Use the OCR Complaint Portal to enter your information, identify the organization, describe the events, and upload supporting documents. Review your answers carefully, certify accuracy, and submit to receive confirmation and a case reference.

What information is required in a HIPAA complaint?

Provide your contact details; the organization’s name and role (covered entity or business associate); dates; a detailed description of what happened; how protected health information was affected; any HIPAA violation notification materials; and copies of relevant emails, letters, or policies. State the outcome you are seeking.

What is the deadline for filing a HIPAA complaint?

You generally must file within 180 days of when you knew about the issue. If you file later, include an explanation of good cause so OCR can consider extending the timeframe.