When to File a HIPAA Violation Complaint: What Qualifies, Deadlines, and How to Report

Identifying Qualifying HIPAA Violations

Who is covered and what information is protected

HIPAA applies to covered entities—health plans, most healthcare providers, and healthcare clearinghouses—and to their business associates that create, receive, maintain, or transmit protected health information (PHI) for them. PHI includes any individually identifiable health information in any form, including electronic PHI.

Privacy Rule violations

• Impermissible uses or disclosures of PHI (for example, sharing details with an employer or family member without authorization).
• Failure to provide a Notice of Privacy Practices or to honor your rights (access, amendments, restrictions, confidential communications, and accounting of disclosures).
• Unnecessary or excessive disclosures that ignore the “minimum necessary” standard.

Security Rule compliance failures

• Lack of reasonable administrative, physical, and technical safeguards to protect ePHI (for example, no risk analysis, weak access controls, poor audit logging, or unencrypted devices contrary to policy).
• Inadequate workforce training or sanctions when staff mishandle PHI.

Breach Notification Rule lapses

• Not notifying affected individuals after a breach of unsecured PHI.
• Late, missing, or incomplete breach notices to individuals or to HHS when required.
• Failure to document and assess incidents to determine whether a breach occurred.

What typically is not a HIPAA violation

HIPAA generally does not cover health data you store only for yourself (for example, in a personal wellness app) if no covered entity or business associate is involved. It also does not govern employment records held by an employer, or education records protected under FERPA.

Understanding Filing Deadlines

You should file a complaint within 180 days of when you knew, or reasonably should have known, that a HIPAA violation occurred. If the problem is ongoing, count from the most recent incident date.

OCR can accept late complaints for good cause. Explain any circumstances that prevented timely filing—such as hospitalization, lack of notice, difficulty obtaining records, or other significant barriers—and submit as soon as possible.

When in doubt, file early. Timely filing helps preserve evidence, witness recollection, and records that support your claim.

Preparing a Written Complaint

Essential elements to include

• Your name, contact information, and preferred method of communication.
• The covered entity or business associate you are reporting, including location and department if known.
• What happened, when it happened (specific dates or range), and how you learned of it.
• Which rights or rules you believe were violated (HIPAA Privacy Rule, Security Rule compliance, or Breach Notification Rule).
• Any harm or risk you experienced (for example, identity theft risk, humiliation, delay in care, or financial costs).
• Steps you took to resolve the issue internally and any responses you received.
• Whether you consent to OCR sharing your identity with the entity during the OCR Complaint Process.

Supporting materials

• Copies of emails, letters, screenshots, patient portal messages, policies, or forms that corroborate your account.
• Names and roles of witnesses and staff involved, if available.
• For access issues, your original request and proof of denial or unreasonable delay.

Using the OCR Complaint Portal

Step-by-step overview

• Create or sign in to your OCR portal account to start a new health information privacy complaint.
• Enter your contact information and indicate whom you are filing for (yourself or someone you represent).
• Identify the organization (covered entity or business associate) and the location(s) involved.
• Select the issue type and describe the incident clearly and concisely. Reference the applicable rule if you can.
• Upload supporting documents (PDF, images, or scans). Redact unrelated sensitive details where feasible.
• State whether OCR may disclose your identity to the organization. This can help investigation but is your choice.
• Certify the accuracy of your statements and submit. Save your confirmation number for tracking.

After submission

• Monitor your portal inbox for OCR requests. Respond promptly to avoid delays.
• Keep all originals of your evidence and note any new incidents that occur after filing.

Reporting Retaliation Incidents

Retaliation Protection under HIPAA bars covered entities and business associates from intimidating, threatening, coercing, or discriminating against you for filing a complaint, participating in an investigation, or asserting HIPAA rights in good faith.

What to document

• Each retaliatory act (for example, denial of services, sudden bill collection, or termination of a business relationship) with dates, names, and messages.
• Policies or communications that link the adverse action to your complaint or to your exercise of HIPAA rights.

Report retaliation in the same OCR complaint or as a supplemental submission with evidence. Ask OCR to address both the underlying violation and the retaliation.

Understanding OCR Complaint Review Process

Initial assessment

• OCR checks timeliness, jurisdiction (HIPAA-covered entity or business associate), and whether the facts could constitute a HIPAA violation.
• If the matter falls outside HIPAA, OCR may close the case or refer you to a more appropriate agency.

Resolution pathways

• Technical assistance: OCR educates the organization or you on compliance duties and expected fixes.
• Early complaint resolution: OCR facilitates a prompt, informal resolution between you and the organization.
• Investigation: OCR requests records, interviews staff, and reviews policies and safeguards.

Outcomes

• Voluntary compliance or corrective action plans with monitoring.
• Closure with findings communicated to you; in some cases, civil monetary penalties may be imposed on the organization.
• For breaches, OCR also evaluates Breach Notification Rule compliance alongside Security Rule compliance.

Following Up on Your Complaint

• Use your portal account and case number to check status and messages regularly.
• Reply quickly to OCR requests for more information; note deadlines in each message.
• Update your contact details if they change and keep a personal timeline of all communications.
• Request a copy of the closure or resolution letter for your records when the case concludes.

Conclusion

File a HIPAA complaint when a covered entity or business associate violates the HIPAA Privacy Rule, fails Security Rule compliance, or mishandles breach notifications. Act within 180 days (or explain good cause), submit a clear written complaint with evidence through the OCR portal, report any retaliation, and track progress until OCR issues a resolution.

FAQs

What qualifies as a HIPAA violation?

Common violations include impermissible uses or disclosures of PHI, failing to provide timely access to your records, inadequate safeguards for ePHI under the Security Rule, and not providing required notices after a breach. The organization must be a covered entity or a business associate for HIPAA to apply.

When must a HIPAA complaint be filed?

File within 180 days of when you knew, or should have known, about the violation. If you miss that window, explain any good cause for the delay and submit as soon as possible.

How can I submit a HIPAA complaint?

The fastest method is the OCR Complaint Portal, where you create an account, describe the incident, upload evidence, and track status. You can also submit a written complaint by mail or email if you prefer.

What happens if I face retaliation for filing a complaint?

HIPAA’s Retaliation Protection prohibits intimidation, threats, or discrimination for asserting your rights or participating in an investigation. Document the conduct and report it to OCR—either within your existing complaint or as a supplemental filing—so it can be addressed alongside the underlying violation.