Where Can I File a HIPAA Complaint for Negligence? How to Report a Violation to HHS OCR

Understanding HIPAA Complaint Procedures

If you believe a health care provider, health plan, or their vendor acted negligently with your protected health information (PHI), you can file a HIPAA complaint with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). OCR enforces the Privacy Rule, Security Rule, and Breach Notification Rule and oversees the Office for Civil Rights complaint process.

HIPAA applies to covered entities (health plans, most health care providers, and health care clearinghouses) and their business associates (vendors that handle PHI). A complaint can address Privacy Rule violations (impermissible uses or disclosures), Security Rule compliance failures (inadequate administrative, physical, or technical safeguards), or Breach Notification Rule lapses (late or missing notices after a breach).

What “negligence” looks like under HIPAA

• Impermissible disclosure of PHI (e.g., sending records to the wrong person or discussing PHI in public areas).
• Security control failures (e.g., unencrypted devices, weak access controls, or lack of risk assessments).
• Failure to provide timely access to your records or to issue required breach notices.

Who can file and what to expect

Anyone may file—patients, personal representatives, or workforce members. OCR screens your complaint, may request more information, and can resolve matters through technical assistance, voluntary compliance, corrective action, or enforcement. You generally must meet the 180-day filing deadline, though OCR may extend it for good cause.

Using the OCR Complaint Portal

The fastest way to report a HIPAA violation is through the OCR Complaint Portal. You complete an online form, describe what happened, and upload supporting documents. You can track your submission if you create an account; guest submissions are also accepted.

Step-by-step

1. Select the HIPAA option and confirm that the respondent is a covered entity or business associate.
2. Enter your contact information and indicate whether OCR may share your identity with the respondent.
3. Identify the organization(s) involved and the date(s) of the alleged violation.
4. Describe the incident clearly, noting which HIPAA rules may be implicated (Privacy Rule, Security Rule, or Breach Notification Rule).
5. Attach relevant files (letters, emails, screenshots, policies) and submit. Save your confirmation number.

Filing Complaints by Mail

If you prefer paper, you can mail a signed complaint to the appropriate OCR regional office for your state. Use the OCR complaint form or write a detailed letter containing all required information (see Documentation Requirements below). Keep copies of everything you send.

Mailing tips

• Print clearly, sign and date your letter or form, and include your preferred contact method.
• Address the envelope to the OCR regional office that covers the location of the alleged violation.
• Use tracking to confirm delivery and retain a complete copy of your packet.

Submitting Complaints via Email

You may submit your complaint and attachments to OCR by email. Include “HIPAA Complaint” in the subject line, list the respondent’s name, and attach your completed form or a signed letter.

Email best practices

• Share only the minimum necessary PHI to explain the incident; avoid Social Security numbers unless essential.
• Use common file formats (PDF, DOCX, JPG/PNG) and consider encrypting sensitive attachments.
• Provide a phone number so OCR can reach you quickly if clarification is needed.

Complaint Documentation Requirements

Strong documentation helps OCR assess covered entity obligations and business associate responsibilities efficiently. Include:

• Your name, mailing address, phone, and email (or your representative’s information and authority).
• The name and contact details of the covered entity or business associate you are complaining about.
• The date(s) and location(s) of the incident and a concise description of what occurred.
• Which HIPAA rule you believe was violated (Privacy Rule, Security Rule compliance, or Breach Notification Rule) and why.
• Relevant evidence: correspondence, screenshots, denial letters, policies, or breach notices.
• Whether you reported the matter to the organization’s privacy or security officer and any response received.
• Your consent preference about revealing your identity to the respondent.

Retaliation Protections Under HIPAA

HIPAA prohibits covered entities and business associates from retaliating against you for filing a complaint, participating in an investigation, or opposing unlawful practices. Retaliation can include threats, denial of services, or adverse employment actions related to your complaint.

If you experience retaliation, document it and notify OCR promptly. You may file a separate retaliation complaint referencing your original case.

Timeline for Filing Complaints

There is a 180-day filing deadline that generally runs from when you knew, or should have known, about the alleged violation. OCR may extend this deadline for good cause, such as hospitalization or delayed discovery of a breach.

Processing times vary based on complexity and volume. Many matters close through technical assistance; others may require full investigation, corrective action plans, or enforcement. Submitting a clear narrative and organized evidence can significantly speed review.

In short: file promptly within the 180-day filing deadline, choose the OCR Complaint Portal for fastest submission, and provide focused documentation tied to the Privacy Rule, Security Rule, or Breach Notification Rule.

FAQs

How do I submit a HIPAA complaint online?

Use the OCR Complaint Portal. Select the HIPAA option, enter your contact information, identify the covered entity or business associate, describe what happened with dates, attach supporting files, and submit. You will receive a confirmation and, if you create an account, you can check status.

What information is required to file a HIPAA complaint?

Provide your contact details, the name of the organization involved, the date(s) and description of the incident, the HIPAA rule implicated (Privacy, Security, or Breach Notification), any steps you took with the organization’s privacy or security officer, your consent preference on identity disclosure, and relevant documents.

Can I file a HIPAA complaint anonymously?

You may ask OCR not to share your identity with the organization. However, giving OCR your contact information is recommended so it can request clarification and update you. If you withhold it entirely, OCR may be limited in processing or investigating your complaint.

What happens after I file a HIPAA complaint?

OCR screens your submission, may request more details, and decides whether to open an investigation. If opened, the organization can respond, and OCR may seek corrective action, provide technical assistance, or pursue enforcement. You will receive a written outcome when the matter is closed.