When to File a HIPAA Complaint: What Qualifies and How Long You Have

Knowing when to file a HIPAA complaint starts with recognizing what counts as a violation and how long you have to act. This guide explains qualifying issues, the 180‑day filing window, submission methods, who HIPAA covers, retaliation protections, and how the Office for Civil Rights (OCR) reviews cases.

Identifying HIPAA Violations

Privacy Rule Violation

A Privacy Rule violation involves impermissible uses or disclosures of protected health information (PHI) or failure to honor your patient rights. Examples include snooping in records, sharing PHI without authorization, or denying you timely access to your records (generally within 30 days, with one allowable extension).

Other red flags include overbroad disclosures that ignore the “minimum necessary” standard, using PHI for marketing without valid authorization, or not providing a Notice of Privacy Practices.

Security Rule Breach

A Security Rule breach centers on inadequate administrative, physical, or technical safeguards for electronic PHI. Typical issues include not performing a risk analysis, weak access controls, lost or stolen unencrypted devices, or poor audit logging that allows unauthorized access to go undetected.

Breach Notification Requirement

After a breach of unsecured PHI, covered entities and, in some cases, business associates must notify affected individuals, OCR, and sometimes the media without unreasonable delay and no later than 60 days. Failure to send timely, complete notices can justify a HIPAA complaint.

What is not a HIPAA issue

HIPAA applies to covered entities and their business associates, not to every organization that handles health-related data. For example, a consumer health app that is not acting for a covered entity may fall outside HIPAA, and poor customer service that doesn’t involve PHI misuse is not a HIPAA violation.

Preparing Your Complaint

What to include

• Who: the name and contact information of the covered entity or business associate involved.
• What: a clear description of what happened, what PHI was involved, and why you believe it violates the Privacy Rule, Security Rule, or Breach Notification Requirement.
• When and where: specific dates, times, locations, and a concise timeline.
• Evidence: copies of letters, emails, screenshots, policies, breach notices, or witness names.
• Your details: your contact information and whether OCR may share your identity during the investigation.

Practical tips

• Stick to facts and keep PHI in your complaint to the minimum needed to explain the issue.
• Organize documents with labels (e.g., “Exhibit A: breach letter dated May 2”).
• If you need accommodations or language assistance, note that in your submission.
• You may file for yourself, your minor child, or someone who authorized you to act on their behalf.

Filing Deadlines and Extensions

In most cases, you must file within 180 days of when you knew, or should reasonably have known, about the act or omission. If multiple incidents occur, the clock generally runs from each incident or from when you first learned of ongoing conduct.

Good cause extensions

OCR may accept late complaints for good cause. Examples include serious illness, incapacitation, delayed discovery of a covert breach, inability to obtain key records promptly, or misdirection by the entity about how to complain. Explain the delay clearly and provide any supporting documentation.

If you’re past 180 days

Submit the complaint anyway with a short statement requesting an extension and describing why you could not file earlier. If the conduct is continuing, say so; continuing violations can affect how OCR views timeliness.

Methods to Submit a Complaint

OCR Complaint Portal (online)

The fastest method is the OCR Complaint Portal. Create or use an account, answer guided questions, upload supporting files, and certify your statements. You can save a draft and return before submitting.

Mail or fax

You may print and sign the complaint form and send it by mail or fax to the appropriate OCR regional office. Keep copies of everything you send and consider using a trackable delivery method.

Accessibility and representation

You can request auxiliary aids, language assistance, or appoint a personal representative. Indicate these needs in your submission so OCR can communicate with you effectively.

Entities Covered by HIPAA

Covered Entity

HIPAA covers health plans, healthcare clearinghouses, and most healthcare providers that transmit health information electronically for certain transactions. Examples include hospitals, physician practices, pharmacies, and insurers.

Business Associate

A Business Associate is a vendor or partner that creates, receives, maintains, or transmits PHI for a covered entity, such as a billing company, cloud service provider, e-prescribing vendor, or data analytics firm. Subcontractors handling PHI are also treated as business associates.

Common non-covered entities

Employers, schools, life insurers, and many mobile health apps are not covered by HIPAA unless they are acting for a covered entity or a group health plan. An employer’s HR department is not a covered entity, but the employer’s self-funded health plan is.

Understanding Retaliation Protections

HIPAA’s Retaliation Prohibition forbids covered entities and business associates from intimidating, threatening, coercing, or discriminating against you for filing a complaint, assisting an investigation, or exercising your HIPAA rights. Retaliation can include firing, demotion, harassment, or denial of services.

Document any retaliatory acts with dates, names, and communications. You may file a separate retaliation complaint with OCR, and you can seek advice about other workplace protections that may also apply.

OCR Complaint Review Process

Intake and triage

OCR acknowledges your complaint, then checks jurisdiction, timeliness, and whether the facts, if true, would violate HIPAA. If needed, OCR may request clarifications or additional documents.

Investigation and early resolution

OCR may open an investigation, contact the entity, and review policies, training, and technical safeguards. Some matters resolve through voluntary corrective actions or technical assistance to quickly fix issues.

Outcomes and enforcement

When OCR finds noncompliance, it can require corrective action plans, monitoring, or resolution agreements, and in serious cases assess civil monetary penalties. Criminal violations may be referred to the Department of Justice.

Conclusion

File promptly, explain the facts clearly, and submit through the OCR Complaint Portal or by mail or fax. Understanding what qualifies, who is covered, and how OCR proceeds helps you protect your health information and pursue meaningful remedies.

FAQs

What types of violations qualify for a HIPAA complaint?

Qualifying issues include improper disclosures of PHI, denial or delay of record access, lack of reasonable safeguards for electronic PHI, and failures to provide timely breach notifications. Conduct by a covered entity or its business associate that violates the Privacy Rule, Security Rule, or Breach Notification Requirement can be the basis for a complaint.

How long do I have to file a HIPAA complaint?

You generally have 180 days from when you knew or should have known about the issue. If you miss that window, request a good-cause extension and explain the delay; OCR can accept late filings when justified.

Can I file a complaint against an employer?

You can file if the employer is acting as a covered entity or business associate, such as administering a self-funded health plan. Complaints about an employer’s general personnel files or workplace medical information that is not part of a covered plan or provider typically fall outside HIPAA.

What happens if I face retaliation for filing a HIPAA complaint?

Retaliation is prohibited. Document what occurred and file an additional complaint describing the retaliatory acts. OCR can require corrective actions, and you may have protections under other laws as well.