Suspected HIPAA violations are reported to authorities by filing a written complaint with the HHS Office for Civil Rights through the OCR Complaint Portal or by submitting a written complaint by mail, fax, or email that identifies the covered entity or business associate and describes the act or omission believed to violate the HIPAA Privacy Rule, HIPAA Security Rule, or HIPAA Breach Notification Rule within the required filing timeframe. The HHS Office for Civil Rights is the primary federal agency that investigates complaints alleging violations of the HIPAA Rules by HIPAA Covered Entities and Business Associates.
A complaint submission should include the organization’s legal name and location, the date range of the suspected conduct, and a factual description of what occurred, including the system, department, workforce role, and type of protected health information involved. Supporting documentation may include copies of notices received, screenshots, audit excerpts provided by the organization, correspondence, policies, or other records that substantiate the allegation. Patient identifiers that are not required to describe the event should be excluded from the submission to limit unnecessary disclosure of protected health information.
The HHS Office for Civil Rights complaint process requires contact information so the agency can request clarification, confirm jurisdiction, and obtain additional facts, and the filing deadline is typically 180 days from when the complainant knew of the alleged act or omission, with extensions available when good cause is established. When a complainant requests confidentiality, the agency can evaluate that request during case handling, but the facts described in a complaint may still allow the organization to infer the source in limited situations. Complaints may be filed by an individual, a workforce member, or a third party acting on behalf of an affected person.
If retaliation occurs after a complaint is filed, report the retaliatory conduct to the HHS Office for Civil Rights using the same complaint channel with the date, action taken, and relationship to the complaint activity. Organizations may have separate reporting obligations under other federal or state authorities based on the conduct alleged, but HIPAA complaint intake and investigation for the HIPAA Rules is handled through the HHS Office for Civil Rights process.