Where to File a HIPAA Violation: OCR Complaint Portal + State-by-State Reporting Directory

Filing a Complaint with the OCR

If you believe your health information privacy or security rights were violated, the primary place to file is the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). OCR is the federal agency responsible for HIPAA compliance investigation and enforcement.

Who can file and what qualifies

• You can file a HIPAA complaint submission as a patient, personal representative, parent/guardian, or workforce member who observed a potential violation.
• Common issues include unauthorized disclosures of protected health information (PHI), failure to safeguard PHI, denial of timely access to your records, lack of a Notice of Privacy Practices, or inadequate breach notifications.
• OCR has jurisdiction over covered entities (e.g., hospitals, clinics, plans) and their business associates (e.g., billing, IT, or analytics vendors).

What to expect from OCR complaint processing

• OCR reviews your complaint for jurisdiction and timeliness, then may seek Early Complaint Resolution, open an investigation, or provide technical assistance.
• Outcomes can include voluntary compliance, corrective action plans, settlement agreements, or civil monetary penalties for serious or willful noncompliance.
• Covered entities are prohibited from retaliating against you for filing a complaint.

Using the OCR Online Complaint Portal

Before you start

• Gather your contact details, the name and address of the organization, dates involved, and a clear HIPAA violation timeline describing what happened and how it affected you.
• Collect supporting documents (e.g., letters, screenshots, bills) that show the facts; redact unrelated sensitive details.
• Decide whether to request confidentiality. OCR may need to share some information to process your complaint.

Step-by-step submission

1. Open the OCR Online Complaint Portal and follow the prompts to begin your HIPAA complaint submission.
2. Enter the organization’s details, select the issue category (privacy, security, breach, or access), and provide a concise narrative with dates.
3. Upload relevant attachments, review your entries, certify accuracy, and submit.
4. Save the confirmation page or number for your records.

After you submit

You typically receive a confirmation by email. OCR complaint processing often includes requests for clarification or additional documents, so respond promptly. Keep a file with your timeline, evidence, and any case numbers.

Reporting by Mail or Email

Mailing your complaint

• Complete the official complaint form or write a signed letter that includes your contact information, the organization’s details, a factual summary, and your certification that the information is true.
• Mail it to the address listed on the form. Keep copies, proof of mailing, and a log of dates.

Email submission

• Scan and attach your signed form or letter along with supporting documents.
• Use a clear subject line (for example: “HIPAA complaint submission – [Organization] – [Date(s)]”).
• Because email may not be secure, avoid sending unnecessary PHI and consider encrypted options if available.

Mail and email complaints are processed similarly to online submissions, but they may take longer to receive and digitize. Provide a phone number so OCR can reach you with questions.

State Health Department Reporting

Why also report to your state

State health departments and related licensing boards can investigate issues under state law, patient rights, facility rules, and data breach statutes. While OCR enforces HIPAA, state health department HIPAA enforcement and oversight can address local safety or quality-of-care concerns that accompany privacy incidents.

How to file at the state level

• Identify the appropriate agency: department of health (facility licensing), medical or nursing board, pharmacy board, or insurance department for health plans.
• Prepare a concise account that aligns with your OCR narrative, including your HIPAA violation timeline and any harms experienced.
• Submit via the state’s online form, mail, or phone as instructed. Request and retain a case or intake number.
• State action complements, but does not replace, federal enforcement. When appropriate, file with both OCR and your state.

Understanding the 180-Day Filing Deadline

In general, you must file with OCR within 180 days of when you knew—or reasonably should have known—about the violation. OCR can extend this HIPAA violation timeline for good cause, but you should submit as soon as possible to preserve your rights.

Good-cause examples

• Serious illness, incapacitation, or a natural disaster that prevented timely filing.
• Delayed discovery of a breach because the organization notified you well after the event.
• Other circumstances beyond your control that made it impracticable to file earlier.

Practical timing tips

• Write down the date you discovered the issue and build a simple timeline of key events.
• If the conduct is ongoing, include the most recent date and describe the pattern.
• File a concise complaint now and supplement with additional documents later if needed.
• Save proof of your submission date and check your email (including spam) for OCR requests.

Accessing State-by-State Reporting Information

Finding the right office

Use your state’s official websites to locate complaint portals for health departments, licensing boards, and the attorney general’s consumer protection division. Search phrases like “[State] Department of Health patient complaint,” “medical board complaint [State],” or “attorney general health privacy [State].”

Build your own quick-reference directory

• List for each state: agency name, webpage title, phone, email, and mailing address.
• Note any filing deadlines, required forms, and whether online submission is available.
• Record your OCR and state case numbers together, so you can coordinate updates across agencies.

Bottom line: file with OCR through the online portal for federal HIPAA enforcement, and consider a parallel state report for local oversight. Act within 180 days, keep a clear timeline, and maintain organized records to support a thorough HIPAA compliance investigation.

FAQs

Where can I file a HIPAA violation complaint?

You can file with the HHS Office for Civil Rights using the OCR Online Complaint Portal, or by mailing or emailing a signed complaint. You may also report related concerns to your state health department or licensing board. Filing with both can strengthen health privacy breach reporting and ensure the right agencies review your case.

How long do I have to file a HIPAA complaint?

Generally, you have 180 days from when you knew or should have known about the violation. OCR can grant extensions for good cause, but you should submit promptly. Separate state processes may have their own deadlines.

Can I report a violation to my state health department?

Yes. State health departments and licensing boards accept complaints about facilities and providers and may address state-law issues. This does not replace filing with OCR; it complements federal enforcement and can aid state health department HIPAA enforcement.

What information is needed to file a HIPAA complaint?

Provide your contact information, the organization’s name and address, dates of the events, a clear HIPAA violation timeline, a concise description of what happened, and any supporting documents. Include your certification that the information is true and state whether you request confidentiality.