Who Can File a HIPAA Complaint? Eligibility and How to Report a Violation

If you believe your privacy or security rights over protected health information (PHI) were violated, you can file a HIPAA complaint with the Office for Civil Rights. This guide explains who can file, what to include, how to submit, filing timelines, the retaliation prohibition, and where to contact OCR.

Eligibility Criteria for Filing a HIPAA Complaint

Who can file

Anyone who believes a HIPAA Privacy Rule, HIPAA Security Rule, or Breach Notification Rule violation occurred may file a complaint. You do not need to be a patient of the organization, but you must describe a specific incident affecting PHI or the safeguarding of PHI.

Filing on behalf of someone else

Parents and legal guardians, estate executors, or other personal representatives may complain for minors or deceased individuals. A caregiver, advocate, or attorney may also submit a complaint with written authorization from the affected person when required.

Who you can complain against

Your complaint must involve a covered entity or a business associate. Covered entities include health plans, most health care providers, and health care clearinghouses. Business associates are vendors or subcontractors that create, receive, maintain, or transmit PHI for a covered entity.

What conduct qualifies

Examples include impermissible disclosures, lack of reasonable safeguards, denial of timely access, overcharging for copies, failure to provide a Notice of Privacy Practices, insufficient security controls, or failure to notify you after a breach. Retaliation for asserting HIPAA rights also qualifies.

Required Information for Complaint Submission

Your information

Provide your name, mailing address, phone number, and email so OCR can contact you. If you file for someone else, include your relationship and any documentation that shows authority to act.

Organization information

Name the covered entity or business associate, include any known department or location, and provide contact details if available. If multiple entities were involved, identify each one and explain their roles.

Incident details

Describe what happened, when you learned about it, who was involved, and how PHI was affected. Specify which HIPAA Privacy Rule, HIPAA Security Rule, or Breach Notification Rule obligations you believe were not met. Include dates, times, and the setting (in person, portal, email, device, or system).

Evidence and documents

Attach supporting materials such as letters, portal messages, screenshots, billing statements, access logs you received, or breach notifications. Redact sensitive nonessential data before submitting. Keep originals for your records.

Attestation and accessibility needs

Sign or attest that your statements are true to the best of your knowledge. Note any language access or disability accommodations you need so OCR can communicate effectively with you.

Complaint Submission Methods

Online

Use the OCR Complaint Portal to upload your information and documents. The portal guides you through required fields and generates a case or tracking number for reference. You can return to add details if OCR requests them.

Mail or fax

You may send a written complaint describing the incident and including copies of any evidence. Clearly print your contact information and the names of the organizations involved, and keep a copy of everything you send.

Email and phone assistance

OCR provides email and phone options to request forms, ask process questions, or request accommodations. Phone assistance can help you determine whether the organization is a covered entity or business associate and whether HIPAA applies.

Filing on behalf of someone else

When submitting for another person, include proof of authority (for example, guardianship papers or estate documents) or a signed authorization. If you are an employee alleging violations at your workplace, you may file as a workforce member or as an individual whose PHI was affected.

Timelines for Filing a Complaint

Deadline to file

Generally, you must submit your complaint within 180 days from when you knew, or should have known, that the act or omission occurred. OCR may extend this time for good cause, especially if you faced barriers such as delayed discovery, incapacitation, or obstacles to obtaining records.

What to expect after filing

OCR typically acknowledges receipt and reviews whether the complaint alleges a potential violation by a covered entity or business associate. If accepted, OCR may request more details, conduct interviews, and seek records. Cases can take weeks to months depending on complexity and the scope of issues.

How the Breach Notification Rule fits

The Breach Notification Rule requires covered entities to notify affected individuals after certain PHI breaches. That notification timeline is separate from your 180-day complaint deadline, so you can file even if you received a breach notice or if you believe a notice should have been issued.

Protection Against Retaliation

Your rights under the retaliation prohibition

HIPAA’s retaliation prohibition bars covered entities and business associates from threatening, coercing, discriminating against, or taking adverse action because you filed a complaint, assisted an investigation, or opposed practices you reasonably believe violate the HIPAA Privacy Rule, HIPAA Security Rule, or Breach Notification Rule.

What retaliation can look like

Examples include firing, discipline, demotion, reduced hours, denial of appointments, refusal to provide copies of records, higher charges, or intimidation. The prohibition applies to patients, plan members, and workforce members who engage in protected activity.

Whistleblower protection

HIPAA permits certain whistleblower disclosures to OCR, law enforcement, or your attorney when you believe a violation occurred. Entities cannot require you to waive these rights or withdraw a complaint as a condition of care or employment.

Reporting Retaliation Incidents

Document and escalate

Record dates, times, names, and what happened. Save emails, texts, schedules, or billing statements that reflect the adverse action. If safe, raise the issue with the organization’s privacy officer or compliance officer and request written responses.

File or update your OCR complaint

If retaliation occurs after you complained, inform OCR and reference your case number. You can file a new retaliation complaint if the adverse action is distinct or if retaliation is the primary issue.

Protect yourself during the process

Limit sharing of sensitive personal data to what is necessary. Ask OCR about confidentiality and accommodation options. Continue to keep notes so you can accurately describe events if OCR requests more information.

Contact Information for OCR Complaint Filing

Where to submit

You can file through the OCR Complaint Portal, by mail, by fax, or request assistance by phone or email. If you prefer in-person support, you may contact an OCR regional office to ask about options.

What to include on mailed submissions

Address your envelope to the U.S. Department of Health and Human Services, Office for Civil Rights, and note that it concerns a HIPAA complaint. Include your return address, best contact numbers, and a list of attachments.

Language and disability access

OCR offers language assistance and disability accommodations. State your needs in your submission or when you call or email so OCR can tailor communications accordingly.

Summary

Anyone who believes a covered entity or business associate violated the HIPAA Privacy Rule, HIPAA Security Rule, or Breach Notification Rule can file a complaint with the Office for Civil Rights. Submit complete, timely details, use a submission method that works for you, and rely on HIPAA’s strong retaliation prohibition if you experience adverse treatment.

FAQs.

Who is eligible to file a HIPAA complaint?

Any individual who believes their HIPAA rights were violated, or who observed a violation involving PHI, may file with the Office for Civil Rights. Parents, legal guardians, estate representatives, caregivers, and attorneys can file for others when authorized or acting as personal representatives.

What information is required when filing a complaint?

Provide your contact details, the covered entity or business associate’s name, a clear description of what happened and when, how PHI was affected, and any supporting documents. If filing for someone else, include proof of authority or written authorization.

How can I file a HIPAA complaint?

Use the OCR Complaint Portal, send a written complaint by mail or fax, or request help by phone or email. Keep copies of everything you submit and note your case or tracking number for follow-up.

What protections exist against retaliation?

HIPAA’s retaliation prohibition bars organizations from punishing you for filing a complaint, participating in an investigation, or asserting your HIPAA rights. If you face intimidation or adverse actions, document the conduct and inform OCR, referencing your case if one exists.