Where and Who to Report HIPAA Violations: Compliance Checklist with Examples

Reporting HIPAA Violations Internally

You should start by reporting suspected violations inside your organization whenever it is safe to do so. Covered entities and business associates must maintain processes for reporting to a designated Privacy Officer or Compliance Officer.

Who to contact

• Privacy Officer (primary point for HIPAA privacy issues involving Protected Health Information).
• Compliance Officer or supervisor, following your organization’s chain of command.
• HIPAA Security Officer for incidents involving ePHI, systems, or devices.

How to report (step by step)

1. Document what you observed: dates, times, locations, people involved, and the type of PHI affected.
2. Avoid further access or sharing; preserve evidence without copying PHI unnecessarily.
3. Submit a report via your hotline, incident portal, or written form; request a confirmation or case number.
4. Cooperate with mitigation steps (for example, sequestering devices or correcting misdirected faxes).
5. Escalate to the Privacy Officer if initial reports are ignored or if you experience retaliation.

Examples

• A nurse views a neighbor’s lab results without a work need.
• Discharge summaries are faxed to the wrong business.
• An unencrypted laptop with patient schedules is lost in transit.
• A staff photo posted online shows a whiteboard containing PHI.

Reporting HIPAA Violations to OCR Online

If internal reporting fails, is unsafe, or the issue involves systemic noncompliance, you may report to the U.S. Department of Health and Human Services Office for Civil Rights. The fastest method is the OCR Complaint Portal.

Before you start

• Confirm the organization is a HIPAA covered entity or business associate.
• Gather factual details and any non-PHI evidence (emails, policies, screenshots with PHI redacted).
• Note when you learned of the incident; OCR generally requires filing within 180 days.

Using the OCR Complaint Portal

1. Open the OCR Complaint Portal and choose the HIPAA privacy, security, or breach option.
2. Complete the HIPAA Complaint Form with the entity’s name, address, and individuals involved.
3. Describe what happened, when it happened, and how PHI was affected.
4. Attach supporting files and indicate whether you reported internally.
5. Provide contact information (or choose to file anonymously) and submit.

What to include

• Names of the organization(s) and department(s) involved.
• Specific dates/times and systems or locations (for example, EHR module, shared drive, fax line).
• Type of Protected Health Information exposed (for example, diagnoses, lab results, account numbers).
• Harm or risk (identity theft, stigma, access delays).

Example

You discover that a clinic’s shared spreadsheet listing patient appointments and diagnoses is publicly accessible. You capture a redacted screenshot, report internally, and file online when access remains open.

Reporting HIPAA Violations to OCR by Mail

You can also submit a written complaint by mail if you prefer paper or need to include notarized statements. This route is helpful when you have extensive documentation to enclose.

How to file by mail

1. Complete the HIPAA Complaint Form or write a letter containing all details required by OCR.
2. Include your contact information or clearly state that you are filing anonymously.
3. If filing on someone’s behalf, include authorization or proof of legal representation as applicable.
4. Mail your packet to the appropriate OCR regional office; use trackable mail and keep copies.

What your letter should cover

• Who: covered entity or business associate, and people involved.
• What: the conduct and PHI affected, with concise facts.
• When/Where: dates, times, systems, and locations.
• Why: how the conduct violates HIPAA rules (privacy, security, or breach notification).
• Remediation: whether the entity mitigated or notified affected individuals.

Example

A pharmacy discards labeled pill bottles in an unsecured dumpster. You send a letter with dates, photos showing labels redacted, and a timeline of your internal report and the lack of response.

Reporting HIPAA Violations Anonymously

You may report anonymously both inside your organization and to the Office for Civil Rights. Anonymity can reduce fear of retaliation, but it also limits OCR’s ability to request clarifications or provide status updates.

Anonymous vs. confidential

• Anonymous: you do not provide your identity to the recipient.
• Confidential: you give OCR your identity but request that it not be shared with the entity.

How to stay anonymous

• Use your organization’s anonymous hotline or web portal.
• On the OCR Complaint Portal, select the option to file without disclosing your name.
• Mail a complaint without personal identifiers; include enough facts for OCR to investigate.

Limitations and protections

• OCR may close a complaint if it cannot obtain needed details from an anonymous filer.
• HIPAA requires non-retaliation policies for good-faith reporting; raise concerns about retaliation to the Privacy Officer or OCR.

Reporting HIPAA Violations to State Authorities

In addition to federal reporting, you can notify state entities. State Attorneys General may pursue HIPAA Enforcement actions, and state laws can offer remedies beyond HIPAA.

Where to report at the state level

• State Attorney General for HIPAA and consumer protection issues.
• State Health Department for facility or public health concerns.
• Professional licensing boards for individual clinician misconduct.

When state reporting helps

• Widespread or repeated violations affecting many residents.
• Denial of access to medical records under state access laws.
• Improper disposal of PHI or public posting of records.

Example

After multiple breach letters from the same hospital in a year, you file with OCR and also notify your State Health Department and state Attorney General to address patterns of noncompliance.

Filing Complaints with OCR

Anyone who believes a covered entity or business associate violated HIPAA may file with OCR. You can submit online or by mail, and you may request confidentiality.

Deadlines and eligibility

• File within 180 days from when you knew, or should have known, about the violation.
• Request an extension if you have good cause for delay (for example, hospitalization).

OCR review and outcomes

• Intake: OCR verifies jurisdiction and may seek more information.
• Resolution: technical assistance, voluntary compliance, or corrective action plan with monitoring.
• Enforcement: civil monetary penalties in serious or willful cases.

What to prepare

• Timeline of events and the specific HIPAA rule area (privacy, security, or breach).
• Policies, emails, audit logs, and other non-PHI evidence.
• Details of any harm, mitigation steps, and internal responses.

Compliance Checklist for Reporting HIPAA Violations

Quick action checklist

• Ensure safety and stop further disclosure or access if you can do so without creating new risks.
• Record facts immediately: who, what, when, where, systems involved, and PHI types.
• Report internally to the Privacy Officer or through your compliance hotline.
• Escalate to the Office for Civil Rights via the OCR Complaint Portal or by mail if needed.
• Consider reporting to your State Health Department, state Attorney General, or licensing board.
• Track your case numbers and keep copies of submissions and responses.

Documentation checklist

• Entity and department names; contact details if available.
• Incident description tied to HIPAA requirements and policies.
• Dates/times, logs, screenshots (with PHI redacted), and witness notes.
• Actions taken to mitigate, including any breach notifications.

Common pitfalls to avoid

• Waiting beyond the 180-day window without seeking an extension.
• Including unredacted PHI in your submission when not necessary.
• Skipping internal reporting when it is safe and required by policy.
• Providing conclusions without concrete facts and timestamps.

Conclusion

Report HIPAA concerns promptly, start with your Privacy Officer when safe, and escalate to the Office for Civil Rights if issues persist or are severe. Use the OCR Complaint Portal or mail, consider state authorities, and follow this checklist to document facts, protect PHI, and support effective HIPAA Enforcement.

FAQs

Who is responsible for reporting HIPAA violations internally?

Every workforce member shares responsibility to report suspected violations to the organization’s Privacy Officer or designated compliance channel. Supervisors must escalate reports, and business associates must notify the covered entity as their agreements require.

How can I report a HIPAA violation anonymously?

Use your organization’s anonymous hotline or web portal, submit through the OCR Complaint Portal without identifying yourself, or mail a complaint omitting personal identifiers. Note that true anonymity may limit updates or follow-up questions.

What is the deadline for filing a HIPAA complaint with OCR?

You generally must file within 180 days of when you knew, or should have known, about the violation. OCR may grant an extension for good cause, such as illness or inability to access records.

Can HIPAA violations be reported to state authorities?

Yes. You can notify your State Health Department, state Attorney General, and relevant licensing boards. State agencies may pursue remedies under HIPAA and state privacy or consumer protection laws, and you may report to both state and federal authorities.