Submit a HIPAA Complaint Online: Step-by-Step Guide to the HHS OCR Portal

Accessing the OCR Complaint Portal

The Office for Civil Rights Complaint Portal lets you complete HIPAA violation reporting fully online. Before you begin, confirm that the organization you plan to report is a covered entity or a business associate subject to the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

Gather key details in advance: the organization’s legal name and location, dates of the incident, people involved, and any supporting documents (letters, emails, screenshots). Having these ready makes the online form faster and more accurate.

• Start the complaint and select the HIPAA option within the portal.
• Create or use an existing account if you want to track messages; otherwise, you can proceed as a guest.
• Save progress as you go to prevent losing information while drafting your complaint.

Selecting the Complaint Type

Early in the form, you will choose the type of issue. For HIPAA matters, select the option that best matches your concern—Privacy Rule (improper use or disclosure, denial of access), Security Rule (insufficient safeguards for electronic PHI), or Breach Notification (failure to notify after a breach). Picking the right category helps OCR route your complaint correctly.

Covered Entity vs. Business Associate

A covered entity is typically a health plan, most healthcare providers, or a healthcare clearinghouse. A business associate is a vendor that creates, receives, maintains, or transmits protected health information for a covered entity (for example, a billing company, EHR vendor, or cloud provider). Select the one that best describes the organization you are reporting.

Providing Complainant Information

You will be asked for your name, mailing address, phone, and email so OCR can contact you about your complaint. If you are filing for someone else, indicate your relationship and your authority to act (for example, parent, guardian, or personal representative) and be ready to provide documentation if requested.

Sharing accurate contact details enables OCR to clarify facts, request a consent form if needed, and update you on status. HIPAA includes retaliation protection, which means covered entities and business associates are prohibited from intimidating or retaliating against you for filing a complaint.

Detailing the HIPAA Violation

Use clear, factual language to describe what happened, when it occurred, where it happened, who was involved, and why you believe the HIPAA Privacy Rule or Security Rule was violated. If you know which rule applies, state it; otherwise, explain the impact (for example, unauthorized disclosure, snooping, failure to safeguard ePHI, or lack of breach notice).

Evidence and Documentation

Attach relevant files that support your account, such as notices you received, correspondence, screenshots, or policy excerpts. Reference the attachments in your narrative (for example, “See Attachment A: email dated May 10”). Redact unrelated personal information before uploading.

Submitting Consent and Electronic Signature

OCR may need your permission to share details of your complaint—including your identity and relevant health information—with the organization you’re reporting. The portal will present a consent form explaining what may be disclosed and for what purpose. You can grant or decline consent; declining may limit OCR’s ability to investigate.

When consent is required

• If you file on behalf of another person, OCR generally needs that person’s signed authorization or proof of your authority as a personal representative.
• If investigation requires identifying you or the patient to the organization, OCR will seek consent before disclosing that information.

Finish by providing your electronic signature, certifying that your statements are true to the best of your knowledge.

Reviewing and Submitting the Complaint

Carefully review each section before submitting. Confirm names, dates, and the description of events; verify attachments display correctly; and ensure your preferred contact method is accurate. Submit the complaint and store any confirmation page or reference number for your records.

After you submit

• OCR screens your complaint for timeliness and HIPAA jurisdiction.
• You may be contacted for clarification, additional documents, or a signed consent form.
• Depending on findings, OCR may open an investigation, seek early resolution, require corrective action, or close the matter with technical assistance.

Understanding Complaint Submission Deadlines

In general, you should file within 180 days of when you knew or should have known about the alleged HIPAA violation. OCR can extend this deadline if you show good cause—for example, serious illness, incapacitation, or other circumstances beyond your control.

• File as soon as possible; waiting can make evidence harder to obtain.
• For ongoing or repeated conduct, explain the pattern and include the earliest and most recent dates you know about.
• If you are near the deadline, submit the core facts now and note that additional documents will follow.

By gathering facts early, selecting the correct complaint type, and completing the consent and signature steps, you set up OCR to evaluate your complaint efficiently and take appropriate action.

FAQs

How do I file a HIPAA complaint online?

Use the Office for Civil Rights Complaint Portal, choose the HIPAA option, identify the covered entity or business associate, provide your contact details, describe the incident with dates and facts, upload supporting documents, review, complete the consent form if applicable, e-sign, and submit.

What information is required to submit a HIPAA complaint?

You will need the organization’s name and location, the type of issue (Privacy Rule, Security Rule, or Breach Notification), a detailed description of what happened and when, your contact information, and any documents that support your account. OCR may also request a consent form to share your identity or health information during the investigation.

Can I file a HIPAA complaint anonymously?

You can submit a complaint without sharing your name, but OCR’s ability to investigate and follow up is limited without contact information. You may also decline to let OCR disclose your identity to the organization by not providing consent; however, that choice can restrict what OCR can do.

What are the deadlines for filing a HIPAA complaint?

Generally, file within 180 days of when you knew or should have known about the alleged violation. OCR may grant extensions for good cause, but you should submit as soon as possible and provide any supporting reasons if you are filing after the 180-day period.