Where Can I File a HIPAA Violation? A Jurisdiction-by-Scenario Guide to the Right Agency

If you are wondering, “Where can I file a HIPAA violation?”, the answer depends on who you are, what happened, and which privacy or security rule was implicated. This guide maps common scenarios to the right place to report, so your complaint reaches an agency with authority to act.

This material provides general information about HIPAA complaint procedures and related laws. It is not legal advice.

Reporting by Employees of Covered Entities

Covered entities include most health care providers, health plans (including employer group health plans), and health care clearinghouses. If you work for one of these organizations, start internally before going outside unless there is imminent risk or evidence of concealment.

• Report to your organization’s designated privacy officer or compliance office. Privacy officer responsibilities typically include logging complaints, assessing risk, mitigating any harm, and coordinating corrective action.
• Use approved channels such as compliance hotlines, incident intake forms, or risk management email boxes. Keep your report factual, time-stamped, and limited to the minimum necessary information.
• Preserve evidence such as screenshots, audit logs, or email headers without downloading or further exposing protected health information.
• Escalate externally if internal resolution fails, retaliation occurs, or the issue is systemic. You may report to the U.S. Department of Health and Human Services Office for Civil Rights for enforcement.
• If you are employed by a business associate rather than a covered entity, see the section on business associate agreement violations.

Filing Complaints as Patients or Individuals

Patients, plan members, and any individual whose protected health information is involved can file directly with the HHS Office for Civil Rights. OCR handles HIPAA Privacy, Security, and Breach Notification Rule complaints and prioritizes matters that indicate willful neglect or ongoing risk.

• File with OCR as soon as possible. Complaints generally must be submitted within 180 days of when you knew or should have known of the violation, though OCR may waive the deadline for good cause.
• You can also complain to the provider or plan’s privacy officer for internal remediation. Doing both can speed remediation without limiting Office for Civil Rights enforcement.
• Include who was involved, what happened, when and where it occurred, how you were affected, and any steps already taken. Attach supporting materials if available.
• Understand remedies: OCR can require corrective action and impose civil penalties, but HIPAA itself does not provide a private right of action for money damages. You may have separate rights under state privacy law jurisdiction.

Addressing State-Specific Privacy Law Violations

Many states have medical privacy or consumer health data laws that go beyond HIPAA. These may cover entities or data types HIPAA does not, or provide additional remedies such as statutory damages or private lawsuits.

• Consider state routes when the entity is not a HIPAA covered entity or business associate, the alleged conduct involves broader consumer health data, or you seek remedies not available under HIPAA.
• Common state enforcers include the attorney general, state health department, consumer protection division, and professional licensing boards for clinicians.
• You can file both a state complaint and a HIPAA complaint if both laws may apply. Filing with one does not bar the other.
• Check state deadlines, which can differ from OCR’s 180-day window, and preserve documentation in case you pursue a private claim where allowed.

Handling Violations by Business Associates

Vendors that create, receive, maintain, or transmit protected health information for a covered entity are business associates. They must comply with HIPAA and operate under a business associate agreement.

• Report suspected business associate agreement violations to the covered entity’s privacy officer and to the business associate’s compliance contact. The covered entity is obligated to address material breaches by its vendors.
• You may also file directly with the HHS Office for Civil Rights, which has authority over business associates and their subcontractors.
• Provide the name of the covered entity, the business associate, the relevant services, and how PHI was used or disclosed. Note any missing or inadequate contractual safeguards.
• Common issues include unsecured cloud storage, improper marketing uses, insufficient access controls, and failure to report breaches to the covered entity without unreasonable delay.

Reporting Breaches Involving Health Apps and Personal Health Records

Not all health apps are subject to HIPAA. Apps offered by or on behalf of your provider or health plan may be covered; many direct-to-consumer health apps are not. When HIPAA does not apply, privacy oversight often shifts to the Federal Trade Commission.

• If the app is not acting on behalf of a covered entity, it may be a personal health record (PHR) vendor or a related entity subject to the FTC’s Health Breach Notification Rule.
• For non-HIPAA apps and PHRs, consider Federal Trade Commission reporting for deceptive or unfair practices and potential violations of the Health Breach Notification Rule.
• When in doubt, report to both OCR and the FTC, and include why you believe each has jurisdiction. You can also notify your state attorney general under state consumer or health data laws.
• Describe the data involved (e.g., diagnoses, medications, geolocation), whether information came from multiple sources, and any notifications you received—or did not receive—about a breach.

Understanding Jurisdictional Authority

Use this quick triage to send your complaint to the right place while preserving all options:

• Provider, hospital, clinic, pharmacy, health plan, or clearinghouse mishandled PHI: HHS Office for Civil Rights enforcement.
• Vendor handling PHI for a provider or plan (e.g., billing company, cloud host): HHS OCR; also notify the covered entity about the vendor.
• Direct-to-consumer health app or PHR not acting for a provider or plan: Federal Trade Commission reporting and your state attorney general.
• Professional misconduct tied to confidentiality (e.g., a clinician posting PHI): State licensing board in addition to OCR.
• Non-HIPAA contexts (schools under FERPA, employers’ HR files, life insurers): Relevant education, labor, insurance, or consumer protection authorities rather than OCR.

Jurisdiction can overlap. It is acceptable—and often prudent—to file with more than one authority when multiple laws may apply, especially where state privacy law jurisdiction supplements HIPAA.

Ensuring Timely and Proper Reporting

Timeliness and precision strengthen your complaint and help regulators act efficiently.

• Act promptly. Aim to submit OCR complaints within 180 days; observe any shorter state deadlines. Do not wait for internal investigations to conclude before preserving your filing window.
• Be specific. Provide dates, systems involved, the minimum necessary facts, and how the incident impacted you or patients. Redact unrelated information.
• Follow procedure. Use official intake forms where available, keep copies, and obtain confirmation numbers. These are core HIPAA complaint procedures.
• For entities reporting breaches: notify affected individuals without unreasonable delay and no later than applicable rule timelines, and notify regulators as required.
• Maintain professionalism. Avoid accessing records to “prove” the breach; let audit logs and compliance teams handle evidence collection.

In short, route HIPAA issues to OCR, state-specific issues to the appropriate state authority, vendor lapses to both the covered entity and OCR, and consumer health app problems to the FTC under the Health Breach Notification Rule—with dual filings when jurisdictions overlap.

FAQs

What agency handles complaints from patients?

The U.S. Department of Health and Human Services Office for Civil Rights investigates HIPAA complaints from patients and individuals about covered entities and their business associates. You can also pursue state avenues if state law provides additional protections or remedies.

How do employees report internal HIPAA violations?

Use your organization’s designated compliance channels first—typically the privacy officer, hotline, or incident portal—so corrective action can begin quickly. If the issue is unresolved, retaliatory, or systemic, file with the HHS Office for Civil Rights as well.

Where should violations by business associates be reported?

Report to the covered entity’s privacy officer and to the business associate’s compliance contact, and submit a complaint to the HHS Office for Civil Rights. Note the relevant business associate agreement and describe how it was breached.

What is the process to report breaches involving health apps?

If the app is not acting for a covered entity, report to the Federal Trade Commission for potential violations of the Health Breach Notification Rule and deceptive practices. If the app is offered by or on behalf of your provider or plan, report to the HHS Office for Civil Rights; you can file with both if you are unsure.