If you believe your protected health information (PHI) has been mishandled, exposed, or accessed without permission, you have the right to file a HIPAA Complaint and hold the responsible party accountable.
The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, establishes strict standards for safeguarding sensitive patient data. When these standards are violated, individuals can take action by submitting a formal HIPAA complaint.
Most HIPAA complaints are investigated by the Office for Civil Rights (OCR), a division of the U.S. Department of Health and Human Services (HHS).
In this guide, you’ll learn how to file a HIPAA complaint step by step, including:
- Who can file a HIPAA complaint
- What qualifies as a HIPAA violation
- Where and how to submit your complaint
- What happens after you file
Whether you’re a patient, healthcare provider, or business associate, understanding the HIPAA complaint process is essential for protecting your rights and maintaining compliance.
HIPAA: Background Information
Before learning how to file a HIPAA complaint, it’s important to understand what HIPAA protects and how its rules are enforced.
The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, was designed to safeguard sensitive patient data, known as protected health information (PHI).
As healthcare organizations adopted electronic health records (EHRs), protecting this data became even more critical—leading to expanded HIPAA requirements over time.
Today, HIPAA is enforced through several key rules:
- Privacy Rule: Defines what qualifies as PHI and how it can be used or disclosed
- Security Rule: Establishes safeguards for electronic protected health information (ePHI)
- Breach Notification Rule: Requires organizations to report unauthorized access or data breaches
- Enforcement Rule: Outlines how HIPAA violations are investigated and penalized
- HITECH Act: Strengthens enforcement, increases penalties, and expands breach reporting requirements
These rules form the foundation of HIPAA compliance—and they directly support the HIPAA complaint process.
If a covered entity, such as a healthcare provider or insurance company, fails to follow these rules, individuals have the right to file a HIPAA complaint with the Office for Civil Rights (OCR).
How to File a HIPAA Complaint with the Office for Civil Rights (OCR)
To file a HIPAA complaint with the Office for Civil Rights (OCR), your submission must meet specific requirements to be accepted and investigated.
Here’s exactly how to file a HIPAA complaint successfully:
1. File Through an Approved Method
You can submit your HIPAA complaint using any of the following methods:
- Online through the OCR Complaint Portal (fastest option)
- By mail
- By fax
- By email
2. Submit Within the 180-Day Deadline
You must file your HIPAA complaint within 180 days of when you discovered the violation.
If you miss this deadline, you may still file—but you’ll need to provide a valid reason (“good cause”) for the delay. OCR may accept late complaints on a case-by-case basis.
3. Identify the Entity and Describe the Violation
Your HIPAA complaint must include the following details:
- The name of the covered entity or business associate involved
- A clear description of what happened and when the violation occurred
- The specific HIPAA rule violated (Privacy Rule, Security Rule, or Breach Notification Rule)
If your complaint meets all three requirements, the OCR may open an investigation and request a formal response from the organization involved.
What Happens After a HIPAA Complaint Is Investigated?
What happens if you violate HIPAA?
After you file a HIPAA complaint, the Office for Civil Rights (OCR) reviews the case and determines whether a violation occurred. The outcome depends on the severity of the issue and how the organization responds.
Here’s what typically happens after a HIPAA complaint is investigated:
1. Complaint Is Dismissed
A HIPAA complaint may be dismissed without further investigation if:
- It was filed after the 180-day deadline
- It does not involve a covered entity or business associate
- No violation of HIPAA rules (Privacy, Security, or Breach Notification) is found
Example: Complaints against employers or schools are often dismissed because they are not covered entities under HIPAA.
2. Informal Resolution (Most Common Outcome)
If OCR determines a violation occurred, it typically works with the organization to resolve the issue through:
- Voluntary compliance
- A corrective action plan (CAP)
- A resolution agreement outlining required changes
Most HIPAA complaints are resolved at this stage, as organizations act quickly to avoid further penalties.
3. Criminal Referral
If the violation involves intentional misuse of protected health information (PHI) or criminal negligence, OCR may refer the case to the Department of Justice (DOJ) for prosecution.
4. Civil Money Penalties (CMPs)
For serious or repeated violations, OCR may impose financial penalties.
- Fines can reach up to $50,000 per violation
- Annual penalties can go up to $1.5 million, depending on severity
Example: In 2010, Cignet Health was fined $4.3 million for failing to provide patients access to their medical records.
Final Thoughts: How to File a HIPAA Complaint the Right Way
Filing a HIPAA complaint is an important step in protecting the privacy and security of sensitive health information.
Whether you’re a patient, employee, or business associate, understanding how to file a HIPAA complaint—and how the process works—helps ensure organizations are held accountable for violations.
Key Takeaways
Here are the most important things to remember:
- HIPAA complaints must be filed within 180 days of discovering the violation (unless valid cause for delay is provided)
- The complaint must involve a covered entity or business associate subject to HIPAA rules
- You must include the organization’s name and a clear description of the violation
- HIPAA includes whistleblower protections to help prevent retaliation
- After submission, the Office for Civil Rights (OCR) may investigate, resolve the issue, or impose penalties
Important: Not all organizations are covered by HIPAA. Employers and most schools, for example, are typically not subject to HIPAA regulations.
Need Help With HIPAA Compliance?
Whether you need help filing a HIPAA complaint or want to prevent one from being filed against your organization, RSI Security can help.
Our HIPAA compliance experts provide:
- Risk analysis and gap assessments
- HIPAA Privacy and Security Rule implementation
- Policy development and workforce training
Avoid costly violations and strengthen your compliance posture. Contact RSI Security
Download Our HIPAA Checklist