Where to File a HIPAA Complaint: How to Report a Violation to HHS OCR

Online Submission Process

The fastest way to report HIPAA Privacy Rule violations, Security Rule issues, or problems with Breach Notification Requirements is through the OCR Complaint Portal. You can file for yourself or on someone’s behalf against a covered entity or a business associate when you believe Covered Entity Compliance or Business Associate Obligations were not met.

Step-by-step: filing online

• Open the OCR Complaint Portal and select “Violation of Privacy or Security of Health Information (HIPAA).”
• Enter your details and identify the organization (or business associate) you believe violated HIPAA.
• Describe what happened, when it happened, and which HIPAA requirements you believe were violated.
• Upload supporting documents (letters, emails, notices) that help explain the incident.
• Electronically sign your complaint and complete the consent form; save or print the confirmation for your records.

Tips for a strong submission

• Be specific about dates, locations, and people involved.
• If the issue relates to breach notification, note how and when you were notified—or if you never received notice.
• Include only the minimum necessary personal details to explain your concern.
• Indicate if you need language assistance, accessibility accommodations, or want OCR to keep your identity confidential.

Mail and Fax Complaint Procedures

You may submit a written complaint by mail or fax using the Health Information Privacy Complaint Form or your own written statement. Sign and date your submission and keep copies for your records.

Mail filing

Send completed forms or a signed letter to:

• Centralized Case Management Operations
• U.S. Department of Health and Human Services, Office for Civil Rights
• 200 Independence Avenue, S.W., Room 509F, HHH Building
• Washington, D.C. 20201

If you prefer, you may mail directly to the appropriate OCR regional office for the state where the incident occurred (address to the attention of the OCR Regional Manager).

Fax filing

Fax the completed complaint and consent forms to the appropriate OCR regional office. If you need a general fax destination, you may use 202-619-3818 and mark it to the attention of the correct region/OCR Regional Manager. Include a brief cover sheet with your contact information and the number of pages.

Proof and tracking

• Use delivery tracking for mail or keep the fax confirmation page.
• Retain copies of everything you send, including your signed consent form.

Required Complaint Information

Whether you file online, by mail, or fax, include enough detail for OCR to understand the issue and assess HIPAA Privacy Rule violations, Security Rule failures, or Breach Notification Requirements concerns.

Complainant and communication details

• Your name, mailing address, phone number, and email (if available).
• Any communication accommodations you need (language services, relay service, accessible formats) and an alternate contact if OCR can’t reach you.

Who you are complaining about and what happened

• The name, address, and phone number of the covered entity or business associate.
• A clear description of the acts or omissions, with dates and how your information was affected.
• Indicate if the issue involves Business Associate Obligations (for example, a vendor handling billing, claims, or data services).
• Supporting materials such as letters, screenshots, notices, or policies, if available.

Signature and consent

• Online filings require an electronic signature and consent form.
• Mailed or faxed complaints must be signed and dated; include the completed consent form so OCR can contact the organization about your allegations.
• If filing for someone else, identify the person and your authority to act for them.

Filing Deadlines and Extensions

Generally, you must file within 180 days of when you knew or reasonably should have known about the alleged violation. File as soon as possible; timely submissions help OCR investigate effectively.

Good-cause extensions

OCR may extend the 180-day period if you show good cause—such as serious illness, incapacitation, or other circumstances that made timely filing impossible. Explain the reason for the delay and provide any documentation that supports your request.

Protection Against Retaliation

There is a Retaliation Prohibition Under HIPAA. Covered entities and business associates may not intimidate, threaten, coerce, discriminate, or retaliate against you for filing a complaint, participating in an OCR investigation, or opposing unlawful practices in good faith. If retaliation occurs, document it and promptly report it to OCR as part of your complaint or in a supplemental filing.

Contact Details for OCR

• Toll-free phone: 1-800-368-1019
• TDD toll-free: 1-800-537-7697
• Complaint email (for written submissions): OCRComplaint@hhs.gov
• Health Information Privacy inquiries: OCRPrivacy@hhs.gov
• Mailing address for centralized intake: U.S. Department of Health and Human Services, Office for Civil Rights, Centralized Case Management Operations, 200 Independence Avenue, S.W., Room 509F, HHH Building, Washington, D.C. 20201
• General fax: 202-619-3818 (or fax to the appropriate OCR regional office where the incident occurred)

Language assistance and auxiliary aids are available on request at no charge.

Reviewing Complaint Outcomes

OCR first reviews your complaint to confirm timeliness, jurisdiction (covered entity or business associate), and whether the facts described could constitute a HIPAA violation. If accepted, OCR notifies both you and the organization and begins its review or investigation.

Possible results

• Technical assistance or voluntary corrective action to resolve the issue quickly.
• A corrective action plan that requires policy, training, or safeguard changes, often with monitoring.
• A resolution agreement (settlement) that may include a payment and multi‑year oversight.
• Civil money penalties if the entity fails to take satisfactory corrective action.
• Referral to the Department of Justice if potential criminal conduct is identified.

OCR sends you a letter describing the outcome. Its focus is enforcement and system improvement; a HIPAA complaint does not provide individual monetary compensation.

Summary: File promptly through the OCR Complaint Portal or by mail/fax using the Health Information Privacy Complaint Form, include complete facts and dates, and request a good-cause extension if needed. HIPAA protects you from retaliation, and OCR will inform you of the resolution after its review.

FAQs.

How do I file a HIPAA complaint online?

Use the OCR Complaint Portal, choose the HIPAA option, enter your information and the organization’s details, describe what happened with dates, upload any supporting documents, then electronically sign and complete the consent form. Save your confirmation.

What information is required in a HIPAA complaint?

Provide your contact information; the name and contact details of the covered entity or business associate; a clear description of what occurred and when; any supporting documents; and your signature and consent (electronic online, written for mail/fax). Mention if the issue involves Breach Notification Requirements or other HIPAA Privacy or Security concerns.

Can I file a HIPAA complaint after 180 days?

Yes, in limited situations. OCR can grant a good-cause extension when circumstances made timely filing impossible (for example, serious illness or incapacitation). Explain the reason for the delay and include any supporting documentation.

What protections exist against retaliation for filing a HIPAA complaint?

HIPAA prohibits retaliation. Covered entities and business associates may not intimidate, threaten, coerce, discriminate, or otherwise penalize you for filing a complaint or participating in an OCR matter. If retaliation occurs, document it and report it to OCR immediately.