Who Do You Report HIPAA Violations To? Official Channels and Steps

If you believe protected health information was used or disclosed improperly, you have clear paths to act. This guide explains who you report HIPAA violations to, how to escalate concerns, and what timelines and protections apply so you can move confidently and effectively.

Reporting HIPAA Violations Internally

Your first step, when safe and practical, is to use your organization’s internal process. Covered entities and business associates must designate a Privacy Officer and often a Compliance Officer to receive and investigate concerns about privacy or security incidents.

Where to start

• Notify the Privacy Officer or Compliance Officer using your organization’s reporting channel (hotline, email, incident form, or direct report).
• If you are a workforce member, you may also tell your supervisor, who should route the issue to the designated HIPAA contact.
• If patients raise the concern, staff should assist them with the internal complaint process and provide the appropriate contact.

What to include in your internal report

• Who was involved and whose protected health information (PHI) was affected.
• What happened, including systems or records involved and any suspected cause.
• When and where the incident occurred, and whether it is ongoing.
• Any evidence (screenshots, emails) and steps already taken to mitigate harm.

Document each step you take and keep copies of submissions and responses. Internal reporting can lead to faster mitigation and may be required by policy even if you also report externally.

Reporting HIPAA Violations Externally

You can report directly to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) at any time—especially if the violation is serious, ongoing, systemic, or you are uncomfortable using internal channels.

Primary external options

• Office for Civil Rights: The federal agency that enforces the HIPAA Privacy, Security, and Breach Notification Rules.
• State Attorney General: Many states can independently enforce HIPAA and state health privacy laws. You may file with both OCR and your State Attorney General.

These routes are not mutually exclusive. Filing with OCR does not prevent you from also reporting to a State Attorney General or appropriate professional licensing board when applicable.

Methods to File Complaints with OCR

1) Submit online via the HIPAA Complaint Portal

The HIPAA Complaint Portal is the quickest, most complete way to file. It guides you to provide the details OCR needs and lets you upload supporting documents securely.

2) Send a written complaint to an OCR regional office

If you prefer paper, you can mail or fax a signed letter to your OCR regional office. Clearly identify the organization involved, describe what happened, and include your contact information so OCR can follow up.

Information to include (regardless of method)

• Your name and contact information (you may request confidentiality; providing contact details helps OCR investigate).
• The covered entity or business associate involved and relevant locations.
• Dates, a factual description of what occurred, and how the HIPAA Rules may have been violated.
• Impact (who was affected, volume/sensitivity of PHI) and any steps taken to mitigate harm.
• Any supporting evidence (emails, letters, screenshots, policies).

What to expect after filing

• Intake review to confirm OCR’s jurisdiction and the complaint’s timeliness.
• Possible investigation, requests for information, and resolution discussions with the entity.
• Outcomes may include technical assistance, voluntary corrective action, resolution agreements with monitoring, or civil monetary penalties where warranted.

Timeframe for Filing Complaints

For OCR complaints, you generally must file within 180 days of when you knew—or reasonably should have known—about the violation. OCR may extend this deadline if you show good cause (for example, serious illness, inability to obtain key records, or other circumstances beyond your control).

Do not wait. The sooner you report, the easier it is for investigators to obtain records, interview witnesses, and limit further exposure of PHI.

Protection Against Retaliation

HIPAA retaliation protections prohibit covered entities and business associates from intimidating, threatening, coercing, discriminating against, or retaliating against anyone for filing a complaint, participating in an investigation, or opposing practices believed to violate HIPAA.

If you fear or experience retaliation

• Document incidents (dates, people involved, emails, texts, meeting notes).
• Report the retaliation to OCR as part of your complaint or as a new complaint.
• Use internal HR or compliance channels and consider raising your concern with your State Attorney General if state employment or consumer protections may also apply.

Workforce members also have limited whistleblower allowances to share information with oversight bodies or an attorney for the purpose of reporting potential violations, provided disclosures follow HIPAA’s requirements.

Reporting Data Breaches to OCR

The HIPAA Breach Notification Rule places reporting duties on covered entities (and in some cases, business associates) when unsecured PHI is breached.

Key OCR reporting thresholds

• 500 or more individuals affected: Report to OCR without unreasonable delay and no later than 60 calendar days from discovery of the breach.
• Fewer than 500 individuals affected: Log the breach and submit to OCR within 60 days after the end of the calendar year in which the breach occurred.

Reports to OCR should describe what happened, the types of PHI involved, how many individuals were affected, steps taken to mitigate harm, and measures implemented to prevent recurrence. Affected individuals must also be notified without unreasonable delay and no later than 60 days after discovery.

Importance of Timely Reporting

Timely reporting protects patients, limits harm, and strengthens enforcement. Acting quickly helps organizations contain incidents, preserves crucial evidence, and ensures compliance with federal and state requirements.

Practical tips

• Write down the facts immediately and keep a simple timeline.
• Save relevant messages, screenshots, or system logs in a secure location.
• If internal responses stall or the risk is ongoing, proceed to the Office for Civil Rights without delay.

Summary

Report internally to the Privacy Officer or Compliance Officer when safe, and externally to OCR via the HIPAA Complaint Portal or your OCR regional office if needed. File within 180 days, know that HIPAA retaliation protections apply, and remember that entities must report qualifying data breaches to OCR on strict timelines.

FAQs

Who is responsible for handling HIPAA complaints internally?

The designated Privacy Officer—often working with the Compliance Officer—is responsible for receiving, tracking, and resolving internal HIPAA complaints. Workforce members may also raise concerns to their supervisor, who should route them to the Privacy Officer.

How do I file a complaint with the Office for Civil Rights?

Use the HIPAA Complaint Portal to submit details and uploads, or send a signed written complaint to your OCR regional office. Include who was involved, what happened, dates, impact, and your contact information, and file as soon as possible.

What is the deadline for reporting a HIPAA violation?

To OCR, the general deadline is 180 days from when you knew or should have known of the violation, with possible extensions for good cause. For organizational breach reporting to OCR, incidents affecting 500+ individuals must be reported within 60 days of discovery; smaller breaches are due within 60 days after the end of the calendar year.

What protections exist against retaliation for reporting violations?

HIPAA bars covered entities and business associates from retaliating against anyone who reports, participates in an investigation, or opposes unlawful practices. You can request confidentiality from OCR, document any adverse actions, and report retaliation as a separate violation.