How to file a HIPAA Complaint with the OCR

HIPAA
April 22, 2021
What do you do when you believe that an individual or a company is potentially violating HIPAA? The answer is you file a complaint with the Office of Civil Rights.

How to File a HIPAA Complaint with OCR

So what do you do when you believe that someone and/or company that is supposedly HIPAA compliant is in fact doing something that isn’t? The answer is you file a complaint with the Office of Civil Rights (OCR).

Don’t waste time filing a complaint they can’t investigate. Review these questions before filing a health information privacy or security complaint with OCR.

Are You Willing to Give OCR Your Name and Contact Information?

OCR does not investigate complaints filed without a name and contact information on the complaint. While we know people worry about their name getting out there and might get some unwanted attention from the media, if you want OCR to keep your name and contact information confidential during the investigation, you may specify that on the consent form.

Does Your Complaint Describe an Activity that Might Violate the Privacy or Security Rule?

If you are not sure, go ahead and file your complaint--just remember OCR can only investigate complaints that allege an action or omission that fails to comply with the Privacy or Security Rules. For example, a doctor can send your medical test results to another doctor without your permission if the doctor needs the information to treat you; this is not a violation of the Privacy Rule, so they would not investigate a complaint that described this situation. Another example would be you going to your regular doctor to show them you have an eye problem like a stye infection that won’t go away. Your regular doctor would send you to an eye doctor, while sending them your medical information in case they prescribe you something or they need to surgically remove the stye and need to know if you are allergic to what they prescribe or use on you.

Complaint Requirements

  • Your complaint should be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal
  • Name of the covered entity or business associate involved, and describe the acts or omissions, you believed violated the requirements of the Privacy, Security, or Breach Notification Rules
  • Your complaint must be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show "good cause"

HIPAA Prohibits Retaliation

Under HIPAA, an entity cannot retaliate against you for filing a complaint. Please notify OCR immediately in the event of any retaliatory action that has occurred.

Filing a Complaint Online

Go to the OCR Complaint Portal and select the type of complaint you would like to file. Complete as much information as possible, including:

  • Information about you (the complainant)
  • Details of the complaint (The more details the better)
  • Any additional information that might help OCR when reviewing your complaint

You will then need to electronically sign the complaint and complete the consent form. After completing the consent form you will be able to print out a copy to keep for your own records.

Filing a Complaint in Writing

File a Complaint Using the Health Information Privacy Complaint Form Package

Open and fill out the Health Information Privacy Complaint Form Package in PDF format. You will need Adobe Reader software to fill out the complaint and consent forms. You may either:  Print and mail the completed complaint and consent forms to:

Centralized Case Management Operations

U.S. Department of Health and Human Services

200 Independence Avenue, S.W.

Room 509F HHH Bldg.

Washington, D.C. 20201

Or Email the completed complaint and consent forms to OCRComplaint@hhs.gov (Please be aware that communication by unencrypted email presents a risk that personally identifiable information contained in such an email, may be intercepted by unauthorized third parties)

File A Complaint Without Using Their Health Information Privacy Complaint Package

If you prefer, you may submit a written complaint in your own format, Just print and mail the completed complaint and consent forms to:

Centralized Case Management Operations

U.S. Department of Health and Human Services

200 Independence Avenue, S.W.

Room 509F HHH Bldg.

Washington, D.C. 20201

Email to OCRComplaint@hhs.gov


Be sure to include:

  • Your name
  • Full address
  • Telephone numbers (include area code)
  • E-mail address (if available)
  • Name, full address and telephone number of the person, agency, or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy or Security Rule
  • Brief description of what happened. How, why, and when do you believe your (or someone else’s) health information privacy rights were violated, or how the Privacy or Security Rule otherwise was violated
  • Any other relevant information
  • Your signature and date of complaint
  • If you are filing a complaint on someone’s behalf, also provide the name of the person on whose behalf you are filing.


Remember to include these things if you need them:

  • If you need special accommodations for them to communicate with you about this complaint
  • Contact information for someone who can help them contact you if they cannot reach you directly
  • If you have filed your complaint somewhere else and where you’ve filed

File a Security Rule Complaint

You may file a Security Rule complaint electronically via the OCR Complaint Portal, or using their Health Information Privacy Complaint Package - PDF.

If you mail or fax the complaint, be sure to send it to the appropriate OCR regional office based on where the alleged violation took place. OCR has ten regional offices, and each regional office covers specific states. Send your complaint to the attention of the OCR Regional Manager. You do not need to sign the complaint and consent forms when you submit them by e-mail because submission by e-mail represents your signature.

Are You Filing Against an Entity that is Required by Law to Comply with the Privacy and Security Rules? 

Not all entities are required to comply with the Privacy and Security Rules. OCR can only investigate the covered entities that must comply with these rules. Covered entities include most:

  • Doctors
  • Clinics
  • Hospitals
  • Dentists
  • Psychologists
  • Nursing Homes
  • Chiropractors
  • Pharmacies
  • Health Insurance Companies
  • Company Health Plans
  • Medicare, Medicaid, and other government programs that pay for health care
Did the Activity Occur After the Privacy and Security Rules Took Effect?

OCR cannot investigate Privacy Rule complaints that occurred before April 14, 2003 because compliance with the Privacy Rule was not required until that date. Similarly, OCR cannot investigate Security Rule complaints that occurred before April 20, 2005.

With this information, you can file a HIPAA complaint without worrying about whether or not you did it right.


Compliance Managment Full Hexagon logo

Expert compliance support, on-demand

Accountable Compliance Success Managers are dedicated to making sure your company is fully compliant as we guide you step-by-step through the process of achieving HIPAA compliance.
chevron left
Expert guidance
chevron left
Build trust
chevron left
Dedicated Compliance Success Managers
chevron left
HIPAA Training
chevron left
Decrease risk
chevron left
Close more deals