Your Ultimate Guide to Filing HIPAA Complaints: Steps & Tips

Filing HIPAA complaints is the formal way to report suspected violations of the Health Insurance Portability and Accountability Act. This guide walks you through the complaint submission procedures step by step so you can act confidently and protect your health information.

• Confirm the right agency for your issue before you file.
• Collect the facts, documents, and dates that support your claim.
• Submit online for the fastest processing, or use mail/fax if needed.
• Know the 180‑day filing window and possible extensions.
• Prepare for intake and investigation steps.
• Understand retaliation prohibition and your protections.

Determine the Appropriate Entity

Start by identifying who allegedly violated HIPAA and which rules are involved. HIPAA applies to covered entities (health plans, most health care providers, and clearinghouses) and their business associates that handle protected health information (PHI).

When to contact the Office for Civil Rights

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) investigates alleged noncompliance with HIPAA’s Privacy Rule, Security Rule, and Breach Notification Rule. Issues such as impermissible disclosures, denial or delay of record access, or inadequate safeguards fall under Privacy Rule compliance and security rule enforcement.

When to contact CMS for Administrative Simplification

Transactions, code sets, national identifiers, and operating rules are Administrative Simplification Requirements administered by the Centers for Medicare & Medicaid Services (CMS). Problems with electronic transactions or identifiers generally go to CMS’s Administrative Simplification enforcement process.

If HIPAA may not apply

Some apps and consumer services are not HIPAA covered entities or business associates. If the entity is not subject to HIPAA, consider state consumer protection or privacy authorities. You can still file with OCR if unsure; agencies can route or refer complaints as needed.

Gather Necessary Information

Strong, well-organized submissions help agencies assess jurisdiction quickly and minimize follow-up. Assemble:

• Your contact details and preferred communication method.
• The covered entity or business associate’s name, location, and role (provider, plan, clearinghouse, vendor).
• Clear description of what happened, including dates, people involved, what PHI was affected, and how Privacy or Security Rule standards were violated.
• Evidence: letters, emails, screenshots, notices, policies, account logs, or witness names.
• Any steps you took to resolve the issue directly (e.g., request for access or correction) and responses received.
• Your status (patient, plan member, workforce member, or personal representative). If filing for someone else, include authority documentation.

Organize your narrative chronologically. Cross‑reference attachments so investigators can tie each fact to supporting documents.

File the Complaint Electronically

Electronic filing is the quickest way to start an OCR review. The online form guides you through complaint submission procedures, asks screening questions to confirm OCR jurisdiction, and lets you upload supporting files.

Step-by-step

• Create or use an existing account if prompted so you can track status and securely exchange information.
• Answer screening questions, then enter your and the respondent’s information accurately.
• Describe the alleged violation, citing specific Privacy Rule compliance or security rule enforcement concerns where applicable.
• Upload relevant documents, label them clearly (for example, “Access request – 2025‑03‑14”).
• Certify the information is true and complete, sign electronically, and submit.

Administrative Simplification online complaints

For Administrative Simplification Requirements (transactions, code sets, identifiers, operating rules), use CMS’s online enforcement process. Be ready to provide transaction types, companion guides involved, trading partner details, and error examples.

File the Complaint by Mail or Fax

If you cannot file online, you may submit by mail or fax using the official complaint form. Print legibly or type, sign and date the form, and include copies (not originals) of supporting records.

Tips for paper submissions

• Include a cover page summarizing the issue, key dates, and the specific HIPAA standards you believe were violated.
• Number pages and exhibits; use brief captions (e.g., “Exhibit B – Denial of access letter”).
• Retain a complete copy of everything you send and a confirmation of delivery or fax transmission.

Paper submissions can take longer to process than electronic ones, especially if additional information is needed.

Understand the Complaint Filing Timeline

File as soon as possible. Generally, you must file within 180 days from when you knew, or reasonably should have known, about the alleged violation. OCR may extend this deadline if you can show good cause (for example, hospitalization or delayed discovery).

After submission, intake screening focuses on timeliness, jurisdiction, and sufficiency of detail. If accepted for investigation, you will receive follow‑up requests or notices. Complex matters can take months; cooperating promptly helps move the case along.

Expect an Investigation

Once OCR or CMS opens a case, they typically notify the respondent and request information. Investigators may interview witnesses, review policies, and analyze system or transaction logs.

Possible outcomes

• Technical assistance: the agency educates the entity and closes the case without formal findings.
• Voluntary compliance or corrective action plan: the entity agrees to specific steps and deadlines.
• Resolution agreement and monitoring: for significant noncompliance, the entity may enter a formal agreement with oversight.
• Civil money penalties: in cases such as willful neglect or failure to cooperate, financial penalties can be imposed.
• No violation/jurisdiction: the agency may close the matter if evidence does not support a HIPAA issue.

For Administrative Simplification cases, CMS may require trading partners to correct transaction or identifier problems and demonstrate sustained compliance.

Recognize Retaliation Protections

HIPAA’s retaliation prohibition makes it unlawful for covered entities and business associates to intimidate, threaten, coerce, discriminate, or take other adverse action because you filed a complaint, participated in an investigation, or opposed conduct you reasonably believe violates HIPAA.

If you experience retaliation

• Document what happened, when, and who was involved; save messages and notices.
• Report the retaliation to OCR as an additional complaint or update to your case.
• Consider other protections that may apply (for example, employment or nondiscrimination laws) and seek appropriate advice.

Key takeaway

Identify the right agency, present clear facts and evidence, file within 180 days when possible, respond quickly to requests, and assert your rights against retaliation. These steps give your HIPAA complaint the strongest path to a timely, effective resolution.

FAQs

What agencies handle HIPAA complaints?

OCR handles HIPAA Privacy, Security, and Breach Notification matters. CMS oversees Administrative Simplification Requirements involving electronic transactions, code sets, identifiers, and operating rules. If an entity is not subject to HIPAA, state regulators or consumer protection agencies may have jurisdiction.

How do I file a HIPAA complaint online?

Use OCR’s electronic complaint portal for Privacy and Security Rule issues. Complete the guided form, upload supporting documents, certify the information, and submit. For Administrative Simplification concerns, use CMS’s online enforcement process and provide transaction-specific details.

What information is needed for a HIPAA complaint?

Provide your contact information, the entity’s name and role, a clear description of what happened with dates, the HIPAA standards implicated (Privacy, Security, or Administrative Simplification), and supporting evidence. If filing for someone else, include documentation showing your authority.

What happens after I file a HIPAA complaint?

The agency screens your complaint for timeliness and jurisdiction. If accepted, investigators request information from both sides, review records, and determine whether HIPAA was violated. Outcomes range from technical assistance and corrective actions to resolution agreements or civil money penalties; some cases close with no violation.