Where to File a HIPAA Violation Anonymously: How to Report It to HHS OCR

Reporting HIPAA Violations to OCR

If you believe your health information privacy was violated, you can report it to the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR). OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules.

OCR accepts complaints involving a HIPAA-covered entity (such as a hospital, clinic, health plan, or clearinghouse) or a business associate that handles protected health information on a covered entity’s behalf. If the organization is not subject to HIPAA, see Alternative Reporting Options below.

Filing a Complaint Anonymously

You may file a complaint without providing your name. Anonymous complaints can alert OCR to serious issues, but investigations may be harder if OCR cannot contact you for details or evidence. To strengthen an anonymous report, include precise facts, dates, locations, and the name of the organization involved.

If you want updates while keeping your identity from the organization, you can provide your contact information to OCR and request confidentiality. OCR generally protects complainant identities to the extent allowed by law. Share only information necessary to describe the incident.

Methods to File a Complaint

• OCR Complaint Portal: Submit a complaint online, answer guided questions, and upload supporting files. The portal is the fastest way for OCR to receive and triage your report.
• Written complaint submission: Mail, fax, or email a written complaint to an OCR regional office. Include all required details and copies of relevant documents.
• Assistance by phone: You can call OCR for help preparing your complaint, then submit it through the portal or in writing.

Complaint Requirements and Deadlines

To help OCR assess your complaint, include:

• The name and contact details of the HIPAA-covered entity or business associate involved.
• What happened, when it happened (specific dates), and how it affected health information privacy.
• Where the incident occurred (facility, department, website, portal, or system).
• Any staff you interacted with, witnesses, and what you were told.
• Supporting materials (emails, notices, screenshots, policies) if available.
• Your contact information if you want updates; you may file anonymously if you prefer.

Deadlines: You generally must file within 180 days of when you knew or should have known about the violation. OCR may grant a complaint deadline extension if you show good cause (for example, hospitalization, natural disaster, or delayed discovery of the breach).

Protection Against Retaliation

HIPAA’s retaliation prohibition means covered entities and business associates may not intimidate, threaten, coerce, or discriminate against you for filing a complaint or assisting an investigation. This protection applies whether you are a patient, plan member, employee, or contractor.

If you experience retaliation, document it and report it to OCR as part of your complaint or as a separate allegation. Keep copies of schedules, emails, write-ups, termination notices, or other proof of adverse actions.

Alternative Reporting Options

Some privacy harms fall outside HIPAA or involve broader misconduct. In addition to reporting to OCR, you can consider:

• State attorneys general for consumer protection actions related to unlawful disclosures or security failures.
• Professional licensing boards for clinician misconduct tied to privacy or confidentiality breaches.
• Accreditation bodies or internal compliance hotlines for immediate safety or systemic issues.
• HHS Office of Inspector General for suspected Medicare or Medicaid fraud tied to records misuse.
• The Federal Trade Commission for health apps, wearables, or other companies not regulated as HIPAA entities.

OCR Investigation Process

After submission, OCR screens your complaint for jurisdiction and timeliness. If accepted, OCR may open an investigation, request records, interview witnesses, and assess the entity’s policies, risk analyses, and safeguards.

Most matters resolve through technical assistance, voluntary compliance, or a corrective action plan with monitoring. Serious or willful violations can result in civil monetary penalties. OCR notifies you when it closes the case, though it does not award individual damages.

In short, you can report a HIPAA violation anonymously to HHS OCR through the OCR Complaint Portal or by written complaint submission. Provide specific facts, file within 180 days when possible, and rely on HIPAA’s retaliation prohibition if you fear adverse treatment. Doing so helps protect health information privacy for everyone.

FAQs

How can I file a HIPAA violation anonymously?

You can submit an anonymous report through the OCR Complaint Portal or by written complaint submission. Omit your name if you prefer, but include detailed facts, dates, and the organization’s name so OCR can evaluate the issue. If you want updates while keeping your identity from the organization, provide contact details to OCR and request confidentiality.

What information is required to file a HIPAA complaint?

List the HIPAA-covered entity or business associate involved, what occurred, when and where it happened, who was involved, and how health information privacy was affected. Add any supporting documents. Contact information is optional if you choose to remain anonymous.

Can I report a HIPAA violation without fear of retaliation?

Yes. HIPAA’s retaliation prohibition bars covered entities and business associates from punishing you for filing a complaint or helping OCR. If retaliation occurs, document it and include it in your complaint.

What are alternative agencies to report a HIPAA violation?

In addition to OCR, you can consider your state attorney general, professional licensing boards, accreditation bodies, the HHS Office of Inspector General for fraud, and the Federal Trade Commission for privacy issues involving companies outside HIPAA.