Where to File a HIPAA Violation Complaint (HHS Office for Civil Rights + State Options)

If your health information privacy was compromised, you can use the HIPAA complaint process to seek accountability. Most complaints go to the HHS Office for Civil Rights (OCR), and some issues can also be raised with state agencies. Below, you’ll see exactly where and how to file, key deadlines, protections, and what to expect.

OCR Complaint Submission Methods

Who can file

You may file on your own behalf, for your minor child, or as a personal representative. You can also submit on behalf of someone else with written authorization or legal authority. You do not need a lawyer to file an OCR complaint.

Ways to submit to OCR

• Online via the OCR complaint portal (fastest for tracking and status updates).
• By mail to OCR (use the appropriate regional or central office listed by HHS).
• By email to the designated OCR intake address (attach your signed complaint and supporting documents).
• By fax to an OCR office, if needed.

When you file, include your contact information, the covered entity or business associate’s name, what happened, when it happened, and any evidence (letters, notices, screenshots). State whether you prefer email, phone, or mail for OCR communications. Accessibility accommodations and language assistance are available.

Complaint Filing Deadlines

OCR generally requires complaints to be filed within 180 days from the date you knew, or reasonably should have known, about the potential violation. If you discovered a pattern over time, use the earliest date you can document and explain the timeline in your narrative.

OCR may grant filing deadline extensions for good cause. Examples include serious illness, military deployment, natural disasters, delayed discovery, or circumstances beyond your control. If you need extra time, say so explicitly and provide a brief explanation with any supporting materials.

State-Level Complaint Agencies

OCR enforces HIPAA nationally, but state agencies can address related issues like professional licensing, state privacy laws, consumer protection, and insurance practices. Filing with OCR does not prevent you from also contacting state authorities.

• State Attorneys General: May bring actions related to HIPAA and state consumer protection laws.
• State Departments of Health and Professional Licensing Boards: Handle provider conduct and licensing violations.
• State Insurance Departments: Oversee health plans and insurers’ handling of protected information.
• Medicaid Agencies and Health Plan Regulators: Address privacy concerns within state-run programs.
• State privacy officers or ombuds offices: Provide guidance on state data practices and complaints.

If you file at both levels, tell each office about the other filing. This supports consistent, centralized case management and avoids duplicate requests.

Retaliation Protections

Covered entities and business associates are prohibited from intimidating, threatening, coercing, or discriminating against you for filing a HIPAA complaint, cooperating with OCR, or exercising your rights. This HIPAA retaliation prohibition also means they cannot require you to waive your rights as a condition of treatment, payment, or enrollment.

If you experience retaliation, document dates, names, and what occurred; save emails or messages; and report the retaliation to OCR. Employment-related retaliation may also implicate other workplace protections—keep detailed records and continue communicating with OCR about any new developments.

Complaint Review and Investigation Process

What OCR checks first

OCR screens for jurisdiction (HIPAA-covered entity/business associate), timeliness, and sufficient detail. If your complaint lacks key facts, OCR may ask for clarification. Some matters are resolved quickly through technical assistance or early resolution.

Investigative steps

• Information requests to you and the entity, including policies, logs, and audit trails.
• Interviews and timeline verification, including breach notification review if applicable.
• Analysis against HIPAA requirements for privacy, security, and breach notification.

Possible outcomes

• Closure with technical assistance or voluntary corrective action.
• Corrective Action Plan with monitoring to verify sustained compliance.
• Resolution agreement and, in some cases, civil monetary penalties.

You will receive written updates or portal notices. Maintain responsiveness and keep copies of everything you submit to support efficient, centralized case management.

Filing Complaints by Mail and Email

Mailing your complaint

• Use OCR’s complaint form or write a signed letter with your contact details, the entity’s name, dates, and a clear description of what occurred.
• Attach copies (not originals) of relevant documents such as notices, letters, or screenshots.
• If filing for someone else, include proof of authority (e.g., power of attorney) or a signed authorization.
• Send to the appropriate OCR office; keep a complete copy of your package and proof of mailing.

Emailing your complaint

• Scan or save your signed complaint form as a PDF. Include your narrative, dates, and requested relief.
• Attach supporting files. If you have many documents, describe them in a short index to aid review.
• Use a clear subject line (e.g., “HIPAA Complaint – [Entity Name] – [Date Range]”).
• Mention any accessibility needs or preferred communication method in the body of your message.

Whether by mail or email, sign and date your complaint, and retain a copy. If you need extra time due to circumstances outside your control, request filing deadline extensions in your submission.

Online Complaint Portal Usage

Step-by-step

• Access the OCR complaint portal and select the Health Information Privacy/HIPAA option.
• Create or use an account so you can save progress, receive messages, and upload files.
• Enter who you are complaining about, what happened, and when. Be specific about dates and systems involved.
• Upload attachments that support your account (policies, emails, portal screenshots, letters).
• Electronically sign and submit. Record your confirmation or case number for your records.

Tips for a strong submission

• Stick to facts in chronological order and highlight the exact HIPAA requirement you believe was violated, if known.
• Explain any delay in filing and request an extension if needed.
• Note if the issue is ongoing or has been corrected, and what remedy you seek.
• Check messages in the portal and respond promptly to OCR requests to keep centralized case management moving.

Conclusion

File HIPAA complaints with OCR through the online portal, mail, email, or fax, and consider parallel state filings when appropriate. Track the 180‑day deadline, request filing deadline extensions when necessary, and preserve evidence. Anti-retaliation rules protect you, and OCR’s process aims to correct problems through targeted oversight and, when needed, enforcement.

FAQs

How do I file a HIPAA violation complaint?

Submit to OCR via the online OCR complaint portal, by mail, email, or fax. Provide your contact details, the entity’s name, what happened, when it happened, and any documents that support your account. You may also contact relevant state agencies in parallel if state licensing, insurance, or consumer protection issues are involved.

What is the deadline for filing a HIPAA complaint?

Generally 180 days from when you knew or should have known about the potential violation. If you missed that window for reasons outside your control, explain the situation and request a good‑cause filing deadline extension.

Can I file a complaint with a state agency?

Yes. In addition to OCR, you can contact your State Attorney General, health department or licensing board, insurance department, Medicaid agency, or state privacy officers. Filing with a state agency does not prevent you from filing with OCR.

What protections exist against retaliation for filing a HIPAA complaint?

Covered entities and business associates cannot intimidate, threaten, coerce, or discriminate against you for filing or assisting with a HIPAA complaint. If retaliation occurs, document it and inform OCR; keep records of dates, communications, and impacts on your care or coverage.