Where to Report HIPAA Violations: HHS OCR Requirements, Steps, and Examples

Overview of HHS OCR

The U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) is the federal agency that receives and investigates HIPAA complaints. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules and oversees the HIPAA complaint process from intake through resolution.

OCR’s jurisdiction covers “covered entities” (health plans, most health care providers, and health care clearinghouses) and their “business associates” (vendors and subcontractors that handle protected health information). Covered entity obligations and business associate compliance include safeguarding PHI, limiting uses and disclosures, providing access to records, training staff, and reporting breaches.

OCR can investigate alleged violations such as impermissible disclosures, lack of safeguards, or failure to provide timely access. It does not regulate employers in their capacity as employers or consumer apps that are not acting on behalf of a covered entity.

Filing a HIPAA Complaint

To report a potential HIPAA violation, you submit a complaint to HHS OCR. You can file for yourself or on someone else’s behalf. Complaints generally must be submitted within the complaint submission deadlines—typically within 180 days of when you knew, or should have known, about the incident. OCR may extend this for good cause, so explain any delay.

Step-by-step filing guide

• Confirm the organization is a covered entity or business associate subject to HIPAA.
• Gather facts: what happened, when, who was involved, and how PHI was affected.
• Collect supporting materials such as screenshots, notices, letters, or policy excerpts.
• Choose a submission method (see below) and complete all required fields.
• State whether OCR may share your identity with the organization to facilitate the investigation.
• Submit and retain your confirmation or a copy of your complaint for your records.

Examples of HIPAA violations you can report

• Unauthorized access or “snooping” in a patient’s chart without a treatment or operational need.
• Disclosing PHI to friends, family, media, or marketers without valid authorization.
• Lost or stolen unencrypted devices containing PHI, or weak access controls and audit logs.
• Failure to provide an individual timely access to their records at a reasonable, cost-based fee.
• Overly broad disclosures that exceed the minimum necessary standard.
• Delayed or missing breach notifications to affected individuals and HHS when required.
• Lack of a business associate agreement when a vendor handles PHI.

Required Complaint Information

Providing complete, accurate details helps OCR determine jurisdiction and investigate efficiently. Include the following whenever possible:

• Your name, mailing address, email, and phone number (or note if you are filing for someone else).
• Name and contact information of the covered entity or business associate you are complaining about.
• Clear description of what happened, including dates, locations, systems involved, and specific PHI affected.
• Why you believe the action violates HIPAA (for example, impermissible disclosure, inadequate safeguards, denial of access).
• Any steps you or the organization already took to resolve the matter.
• Whether the issue involves a business associate and, if known, the nature of the relationship.
• Copies of supporting documents (letters, emails, policies, screenshots), avoiding inclusion of more PHI than necessary.
• Whether you consent to OCR sharing your identity with the entity; this can affect OCR’s ability to obtain facts.
• Timeline to show you met the complaint submission deadlines or to explain good cause for any delay.

Submission Methods for Complaints

You can submit a HIPAA complaint to OCR using any of these methods. Choose the path that lets you clearly describe the issue and upload documents where applicable.

• Online: Use the OCR civil rights complaint portal to enter details and attach files.
• Mail: Print and complete the complaint form and mail it to the appropriate OCR office. Keep copies.
• Fax or Email: Send a completed form and supporting materials by fax or email if available for your region.
• Accessibility and language assistance: Request accommodations or interpretation services as needed when filing.

OCR Investigation Process

After submission, OCR screens your complaint to confirm HIPAA jurisdiction, timeliness, and sufficiency of information. If accepted, OCR notifies the organization, requests a response, and may ask you for clarification or additional documents.

Many matters resolve through technical assistance or voluntary compliance, especially when the entity promptly corrects issues. For substantiated violations, OCR may negotiate resolution agreements that include corrective action plans and monitoring.

Cases involving potential willful neglect, systemic noncompliance, or significant harm may lead to formal findings and enforcement. OCR can also refer possible criminal HIPAA violations to the Department of Justice.

Enforcement Actions and Penalties

When OCR determines noncompliance, outcomes range from technical assistance and voluntary corrective measures to settlements with corrective action plans. In more serious cases, OCR may impose civil money penalties based on factors such as the nature and extent of the violation, culpability, mitigation efforts, and prior compliance history. Penalty tiers escalate with increasing levels of culpability, and statutory amounts are adjusted periodically for inflation.

Enforcement can also require policy updates, workforce training, independent monitoring, risk analyses, and sustained remediation to ensure ongoing business associate compliance and covered entity obligations.

Protection Against Retaliation

HIPAA prohibits retaliation against anyone who files a complaint, assists in an investigation, or opposes conduct they reasonably believe violates HIPAA. Retaliation protections cover actions like termination, intimidation, coercion, or threats related to your complaint.

If you experience retaliation, report it to OCR as part of your complaint or in a supplemental submission. Keep documentation of adverse actions and timelines. OCR can address retaliation within its enforcement tools, and you may also have remedies under other federal or state laws.

Summary

To report HIPAA violations, submit a timely, well-documented complaint to HHS OCR. Provide detailed facts, identify the covered entity or business associate, and choose a filing method that lets you attach evidence. OCR reviews, investigates, and resolves cases through technical assistance, corrective action plans, settlements, or civil money penalties, while safeguarding your retaliation protections.

FAQs.

How do I file a HIPAA violation complaint?

Prepare a clear account of what happened, identify the covered entity or business associate, gather supporting documents, and submit your complaint to HHS OCR via the online portal, mail, fax, or email. File within 180 days of when you knew or should have known about the violation, or explain good cause for any delay.

What information is required in a HIPAA complaint?

Include your contact details (or the person you represent), the organization’s name and contact information, a detailed description with dates and locations, why it violates HIPAA, any prior attempts to resolve it, relevant attachments, and whether OCR may disclose your identity to the organization.

Can I file a HIPAA complaint anonymously?

You may submit a complaint without identifying yourself, but OCR generally needs contact information to request more details and to communicate outcomes. If you remain anonymous, OCR’s ability to investigate and update you is limited. You can also ask OCR to keep your identity confidential from the organization even if you provide it to OCR.

What happens after OCR receives a HIPAA complaint?

OCR screens for jurisdiction and timeliness, may request more information, and asks the organization to respond. Many matters resolve through technical assistance or voluntary corrective steps. Where violations are found, OCR can require corrective action plans, monitor compliance, or impose civil money penalties; serious cases may be referred for criminal review.