Step-by-Step Guide to Reporting HIPAA Violations

If you suspect a breach of medical privacy, this step-by-step guide helps you report it confidently and effectively. You will learn how to spot issues involving Protected Health Information, escalate concerns to a HIPAA Privacy Officer, and, when needed, file an Office for Civil Rights Complaint using the Health Information Privacy Complaint Form.

Whether the issue involves Covered Entity Compliance or Business Associate Responsibilities, following these steps ensures your report is complete, timely, and more likely to drive corrective action.

Identify HIPAA Violations

Spot the common red flags

• Unauthorized access or “snooping” in medical records without a legitimate job-related purpose.
• Improper use or disclosure of Protected Health Information (PHI) beyond the minimum necessary.
• Lack of reasonable safeguards (for example, unencrypted devices, shared passwords, or unattended charts).
• Failure to provide you timely access to your own records or to deliver a Notice of Privacy Practices.
• Missing or inadequate Business Associate Agreements for vendors handling PHI.

What is not a violation

Incidental disclosures that occur despite reasonable safeguards (e.g., a name overheard at a nurse station) typically are not violations. Focus on patterns, willful actions, or systemic gaps that put PHI at risk.

Document what you observe

• Who was involved, what happened, where, and when (dates and times).
• Systems, records, or locations affected and the type of PHI involved.
• Any immediate harm, risk, or mitigation steps taken.

Report Violations Internally

Start with the designated contacts

Report concerns to the organization’s HIPAA Privacy Officer or Security Officer, or use the compliance hotline or incident portal if available. Include concise facts, not speculation, and request written acknowledgment.

Escalate appropriately

If a vendor is involved, notify the covered entity contact so they can enforce Business Associate Responsibilities under the BAA. If internal channels are unresponsive or the risk is serious, prepare to elevate the matter externally.

Preserve evidence

• Keep copies of emails, screenshots, or audit logs that show access or disclosure.
• Avoid accessing records again “to check”—that can create new issues.
• Record all follow-ups and dates to establish a clear timeline.

File Complaints with OCR

When to file

File an Office for Civil Rights Complaint if internal efforts stall, retaliation occurs, or the violation is significant (e.g., large-scale exposure, repeated noncompliance). You may file for yourself or on someone’s behalf.

How to file

Submit the federal Health Information Privacy Complaint Form online or by mail. You can name multiple organizations if needed, including covered entities and business associates, and attach supporting documentation.

Submit Required Information

Core details to include

• Your contact information and your relationship to the incident (patient, workforce member, representative).
• The organization(s) involved and whether each is a covered entity or business associate.
• Dates the incident occurred and when you discovered it.
• A clear description of what happened, the type of PHI involved, and any harm or risk.
• Steps the organization took (or failed to take) toward Covered Entity Compliance or Business Associate Responsibilities.
• Any internal report numbers, emails, or audit findings that support the facts.

Evidence best practices

• Provide copies, not originals; redact unrelated sensitive details where feasible.
• Label exhibits (e.g., “Exhibit A—Email Thread”) and reference them in your narrative.
• Keep a personal log of dates, contacts, and responses for follow-up.

Observe Filing Deadlines

OCR generally requires complaints to be filed within 180 days of when you knew, or should have known, about the violation. If more time has passed, explain any good cause for the delay. Earlier filing preserves evidence and improves the chances of an effective investigation.

Also follow any internal reporting timelines in your organization’s policy so corrective action can begin promptly.

Cooperate with Investigations

What to expect

• Requests for documents such as policies, training records, BAAs, risk analyses, and audit logs.
• Interviews or written questions to clarify facts, scope, and impact.
• Follow-up inquiries about mitigation, patient notifications, or remediation plans.

How to respond

• Answer accurately and on time; if you need more time, communicate early.
• Share only what is necessary; avoid introducing unrelated PHI.
• Maintain a response log (what was sent, to whom, and when) for consistency.

Understand Retaliation Protections

The HIPAA Retaliation Prohibition bars covered entities and business associates from intimidating, threatening, coercing, or discriminating against you for filing a complaint or participating in an investigation. Retaliation itself can be a separate violation.

If retaliation occurs

• Document specific actions (e.g., schedule changes, demotion, termination) and dates.
• Report the conduct to OCR as part of your complaint or as a new allegation.
• Preserve relevant messages or directives that show motive or timing.

Conclusion

Identify the issue, report it internally, and, if needed, submit a well-documented complaint to OCR within deadlines. Provide the required facts, cooperate with requests, and rely on anti-retaliation protections to ensure a fair process that strengthens privacy safeguards for everyone.

FAQs.

How do I know if a HIPAA violation has occurred?

Look for unauthorized access or disclosure of Protected Health Information, missing safeguards, refusal to provide timely access to your records, or repeated noncompliance. Patterns, willful actions, or systemic gaps are strong indicators.

What information is needed to file a HIPAA complaint?

Provide your contact details, the organization(s) involved, incident dates, a clear description of what happened, the type of PHI affected, any harm, and supporting documents. Reference internal report numbers and outline steps taken toward compliance or remediation.

Where do I submit a HIPAA violation report?

After internal reporting, submit an Office for Civil Rights Complaint to the federal agency that enforces HIPAA, typically using the Health Information Privacy Complaint Form. You may file online or by mail.

How long do I have to file a HIPAA complaint?

Generally, you have 180 days from when you knew, or should have known, about the violation. If you file later, include a brief explanation of good cause for the delay.