How to Report a HIPAA Violation

Learn how to document a privacy concern, report it correctly, and escalate a HIPAA complaint when needed.

By Sneha Tete, Integrated MA, Certified Relationship Coach
Created on

When protected health information is shared, accessed, or disclosed in the wrong way, the issue may rise to a HIPAA violation. The right response is usually to document what happened, report it to the organization involved, and, if needed, file a complaint with the federal Office for Civil Rights or another appropriate authority.

This guide explains the reporting process in plain language so patients, employees, and other concerned individuals can act quickly and preserve useful evidence.

What counts as a HIPAA problem?

HIPAA is the federal privacy law that sets rules for how certain health organizations handle protected health information, often called PHI. A violation can involve an impermissible disclosure, failure to safeguard records, or another breach of privacy or security obligations.

Examples may include an employee viewing records without a work-related reason, a provider sending patient information to the wrong person, or a business associate mishandling data it received from a covered entity.

  • Improper sharing of medical records
  • Access to information without a legitimate need
  • Lost, stolen, or insecure records containing PHI
  • Failure to follow privacy notice or authorization rules
  • Delayed or inadequate response after a breach is discovered

Start by documenting the incident

The first step is to write down exactly what happened while the details are still fresh. A strong report usually includes the date, approximate time, location, people involved, and a clear description of the event.

Keep copies of any messages, forms, screenshots, letters, voicemails, or other records that may support your concern. If there were witnesses, note their names and how they were connected to the event.

  • Date and time of the event
  • Name of the organization involved
  • Names or roles of the people who handled the information
  • What information was disclosed or accessed
  • How you learned about the possible violation
  • Any documents or images that help prove the issue

Report the concern inside the organization first

In many situations, the best initial move is to contact the organization’s privacy officer, compliance department, or another designated contact. Most healthcare providers and health plans have internal procedures for handling privacy complaints and security incidents.

Reporting internally can help the organization investigate quickly, correct mistakes, and preserve evidence. It also creates a paper trail showing that the concern was raised promptly.

If the organization has a Notice of Privacy Practices, that document often identifies where privacy concerns should be sent. If you are an employee, the company handbook, compliance hotline, or internal reporting system may also describe the process.

Know where a complaint can be sent

If the issue is not resolved or the situation is serious, you can move beyond the organization and submit a formal complaint. The U.S. Department of Health and Human Services Office for Civil Rights, often called OCR, accepts HIPAA complaints from the public.

Depending on the facts, some people may also contact a state attorney general or raise the issue with a health plan or provider that is responsible for the business associate involved. The correct path depends on who handled the information and where the violation occurred.

Reporting option When it may be useful What to include
Internal privacy officer or compliance team When the incident happened within a provider, plan, or employer Basic facts, dates, names, and supporting materials
OCR complaint When the issue involves a covered entity or business associate and needs federal review Contact details, description of the event, and evidence
State attorney general When state-level enforcement may also apply A full account of the disclosure and the organizations involved
Provider or health plan oversight When a business associate may have caused the problem Documentation showing the link between the contractor and the covered entity

How to file with the Office for Civil Rights

OCR accepts complaints electronically through its complaint portal and also allows submissions in writing. A complainant generally needs to identify the covered entity or business associate, describe what happened, and explain why the conduct appears to violate HIPAA.

It helps to be direct and specific. A concise timeline, a short explanation of the harm or risk, and copies of supporting records can make the complaint easier to evaluate.

  • Your name and contact information, or the information for the affected person if you are filing for someone else
  • The organization or individual involved
  • A description of the suspected privacy or security violation
  • Any supporting documents, emails, logs, or screenshots
  • The date you learned about the incident

Watch the filing deadline

HIPAA complaints generally must be filed within 180 days of when you knew, or reasonably should have known, about the violation. That deadline matters, so it is wise to report as soon as possible after the event is discovered.

In some circumstances, OCR may extend the deadline for good cause. Even so, waiting can make it harder to gather evidence or identify the people involved.

What happens after the complaint is submitted?

After a complaint is received, OCR may review the facts, ask for more information, and decide whether the matter should be investigated. Some complaints are resolved through corrective action, while others may close if the facts do not show a HIPAA violation.

If an investigation moves forward, OCR may examine records, interview staff, and evaluate whether the organization followed privacy, security, or breach notification rules. The result can include voluntary corrections, monitoring, or other enforcement steps depending on the facts.

How to strengthen your report

A well-prepared complaint is easier to understand and more likely to be taken seriously. Focus on facts rather than conclusions, and explain how the information was handled rather than only stating that a violation occurred.

  • Use clear, chronological language
  • Attach only relevant supporting records
  • Keep a copy of everything you send
  • Write down the names of anyone you speak with
  • Save proof of submission, such as a confirmation email or mailed copy

Common mistakes to avoid

People sometimes miss the deadline, omit key facts, or fail to keep copies of their materials. Others describe the issue in broad terms without identifying who handled the records or what information was exposed.

Another common problem is skipping the internal reporting step when it would have helped create a record or allowed the organization to fix the issue faster. While internal reporting is not always required, it is often useful.

Frequently asked questions

Who can file a HIPAA complaint?

Any person who believes a HIPAA-covered entity or business associate violated privacy or security rules may file a complaint. In some cases, someone can also file on behalf of another person.

Do I have to report the issue to the organization first?

No, not always. However, reporting to the privacy officer or compliance team can be a practical first step because it may lead to a faster fix and create useful documentation.

Can I report if I only suspect a violation?

Yes. A complaint can be based on a reasonable belief that information was handled improperly. You should still include as many facts and records as possible.

What if the organization ignores my complaint?

If the response is delayed, incomplete, or absent, you can escalate the matter to OCR and, where appropriate, to a state attorney general or another oversight body.

Will filing a complaint protect me from retaliation?

HIPAA-related complaint procedures are designed to allow people to raise privacy concerns without punishment for reporting. If retaliation is threatened or occurs, that fact should also be documented and reported.

Practical checklist before you file

Before submitting a complaint, review your materials one last time to make sure the report is complete and easy to follow. A short checklist can prevent delays and help you organize the issue clearly.

  • Confirm the date you first learned about the incident
  • Identify the correct organization or business associate
  • Gather emails, letters, screenshots, or logs
  • Write a factual summary of what happened
  • Choose the right reporting channel
  • Save copies of everything submitted

References

  1. Filing a Health Information Privacy Complaint — U.S. Department of Health and Human Services, Office for Civil Rights. 2026-07-10. https://www.hhs.gov/hipaa/filing-a-complaint/index.html
  2. OCR Complaint Portal — U.S. Department of Health and Human Services, Office for Civil Rights. 2026-07-10. https://ocrportal.hhs.gov/ocr/cp/complaint_frontpage.jsf
  3. How to Report a HIPAA Violation: Your Practical Guide for 2026 — HIPAA University. 2026-07-10. https://hipaauniversity.com/blog/report-a-violation/
  4. How to Report a HIPAA Violation — HIPAAJournal. 2026-07-10. https://www.hipaajournal.com/report-hipaa-violation/
  5. How to File a HIPAA Complaint — Health.mil. 2026-07-10. https://www.health.mil/Military-Health-Topics/Privacy-and-Civil-Liberties/HIPAA-Compliance-within-the-MHS/How-to-File-a-HIPAA-Complaint
Sneha Tete
Sneha TeteBeauty & Lifestyle Writer
Sneha is a relationships and lifestyle writer with a strong foundation in applied linguistics and certified training in relationship coaching. She brings over five years of writing experience to waytolegal,  crafting thoughtful, research-driven content that empowers readers to build healthier relationships, boost emotional well-being, and embrace holistic living.

Read full bio of Sneha Tete