Where to File a HIPAA Complaint: OCR Submission Links and State-by-State Contacts

If you are deciding where to file a HIPAA complaint, this guide explains the options offered by the HHS Office for Civil Rights, how your case is routed, and who to contact by region and state.

OCR Complaint Submission Methods

The Office for Civil Rights receives and investigates HIPAA complaints. You can choose the submission method that fits your needs and accessibility preferences.

Online portal (fastest)

Filing online is the quickest way to open a case. The secure form guides you through required fields, lets you upload evidence, and provides a confirmation number for follow-up.

Mail or fax via Centralized Case Management Operations

If you prefer paper, you can send a written complaint to OCR’s Centralized Case Management Operations, which scans and routes submissions to the correct regional office. Include copies of supporting documents and retain originals.

What to include in your complaint

• Your contact details and any language or accessibility needs.
• The covered entity or business associate involved (for example, a health plan, provider, or healthcare clearinghouse).
• Dates, facts, and the specific HIPAA rights or safeguards you believe were violated.
• Steps you took with the organization’s HIPAA Privacy Officer and the outcome.
• Evidence such as letters, emails, portal screenshots, or billing notices.

Consent and representative paperwork

If you are filing for someone else or if OCR must share your information to investigate, complete the appropriate Complaint Consent Forms. Personal representatives, including parents and legal guardians, may submit on another person’s behalf.

After you submit

OCR acknowledges receipt, screens for jurisdiction and timeliness, and assigns the matter to a regional team. You may be asked for clarifying details or additional documents as the review proceeds.

Regional OCR Office Contacts

OCR investigates cases through regional offices based on where the incident occurred or where the entity is located. Knowing your region helps you anticipate who may contact you and where your case will be managed.

State coverage by region

• Region I (Boston): CT, ME, MA, NH, RI, VT.
• Region II (New York): NJ, NY, PR, VI.
• Region III (Philadelphia): DE, DC, MD, PA, VA, WV.
• Region IV (Atlanta): AL, FL, GA, KY, MS, NC, SC, TN.
• Region V (Chicago): IL, IN, MI, MN, OH, WI.
• Region VI (Dallas): AR, LA, NM, OK, TX.
• Region VII (Kansas City): IA, KS, MO, NE.
• Region VIII (Denver): CO, MT, ND, SD, UT, WY.
• Region IX (San Francisco): AZ, CA, HI, NV, AS, GU, MP.
• Region X (Seattle): AK, ID, OR, WA.

When to contact your regional office

After filing, communicate with your assigned investigator about status updates, document requests, or potential resolution. For pre-filing questions, the online system and CCMO intake can direct you to the correct region.

State-Specific HIPAA Complaint Procedures

Many states operate parallel channels for health privacy and patient-rights issues. You can file with OCR and also submit to state authorities; doing both does not jeopardize your federal complaint.

Common state channels

• Attorney General consumer protection or privacy units (many AGs coordinate with OCR on HIPAA matters).
• Departments of Health for facility practices and compliance tied to privacy safeguards.
• Departments of Insurance for health plan conduct affecting protected health information.
• Professional licensing boards for clinicians, pharmacists, and laboratories.
• Medicaid agencies or health insurance marketplaces for plan-related privacy concerns.

How to tailor your state filing

States differ on whether they accept anonymous complaints, require sworn statements, or limit online submissions. Follow your state’s instructions, attach supporting documents, and note any OCR case number for clarity.

Start locally when it helps

Before or alongside formal filings, contact the organization’s HIPAA Privacy Officer to request access, corrections, or added safeguards. Many issues resolve quickly through internal processes, especially for misdirected mailings or portal access problems.

HIPAA Complaint Eligibility Criteria

You may file if you believe a covered entity or its business associate violated HIPAA Privacy, Security, or Breach Notification rules. Covered entities include health plans, healthcare providers that conduct standard transactions, and healthcare clearinghouses.

Situations that commonly qualify

• Denied timely access to your medical records or charged unreasonable fees.
• Improper uses or disclosures of protected health information (PHI).
• Insufficient safeguards leading to unauthorized access or a breach.
• Failure to provide a Notice of Privacy Practices or to honor agreed restrictions.

Who can file and what’s required

Individuals, personal representatives, or authorized advocates may file. Provide the entity’s name, what happened, when you learned of it, and how to contact you. If filing for someone else, include the needed Complaint Consent Forms or proof of authority.

Complaint Filing Deadlines

OCR generally requires complaints within 180 days of when you knew, or reasonably should have known, about the possible violation. If you are late, explain why; OCR may grant a Good Cause Extension at its discretion.

Examples of good cause

• Serious illness, hospitalization, or incapacity that prevented timely filing.
• Reasonable reliance on the entity’s internal process that caused unavoidable delay.
• Misrepresentation by the organization about your rights or the complaint process.
• Natural disasters or documented technology barriers that impeded submission.

State deadlines for parallel complaints can differ. If you plan a state filing, check that agency’s timeline so you do not miss stricter cutoffs.

Retaliation Protections under HIPAA

HIPAA’s Retaliatory Action Prohibition bars covered entities and business associates from intimidating, threatening, coercing, or discriminating against you for exercising your rights, including filing a complaint or assisting an investigation.

What retaliation can look like

• Refusing treatment, unfair dismissal from a practice, or degrading service quality.
• Charging special fees, changing coverage tiers, or denying benefits because you complained.
• Pressuring you to withdraw a complaint or to sign broad waivers of your rights.

What to do if retaliation occurs

Document the conduct, keep copies of communications, and report it within your OCR case. Depending on the facts, other laws may also apply and OCR can coordinate with appropriate authorities.

Conclusion

To decide where to file a HIPAA complaint, start with OCR’s online portal or submit through Centralized Case Management Operations, then work with your regional office. Consider parallel state avenues, file within 180 days or request a Good Cause Extension, and remember that retaliation is prohibited.

FAQs

Where can I file a HIPAA complaint online?

Use the HHS Office for Civil Rights online complaint portal to submit electronically, attach evidence, and receive a confirmation number. Accessibility assistance is available if you need help completing the form.

How do I find the OCR regional office for my state?

Use the state coverage list above to identify your region. After you file, your case is automatically routed to that regional office, which becomes your primary point of contact.

What is the deadline for submitting a HIPAA complaint?

You generally have 180 days from when you knew, or should have known, about the potential violation. If you miss that window, explain why; OCR may allow a Good Cause Extension.

What protections exist against retaliation for filing a HIPAA complaint?

HIPAA prohibits intimidation, coercion, or adverse treatment for exercising your rights or cooperating with OCR. If retaliation occurs, document it and inform OCR so it can address the conduct.