How to Report a HIPAA Violation to OCR

Any person whose health information rights may have been violated can report that concern to the HHS Office for Civil Rights. OCR is the federal agency responsible for enforcing the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

This page covers how to file, what to include, and what happens next.

Who can file a HIPAA complaint with OCR

Under 45 CFR 160.306, any person who believes a covered entity or business associate has violated their HIPAA rights may file a complaint with the Secretary of HHS. That includes:

• the patient whose information was affected
• a personal representative of that patient (such as a parent, legal guardian, or power of attorney holder)
• a third party acting on the patient’s behalf with their consent

Complaints can name health plans, healthcare clearinghouses, and most healthcare providers. Business associates who handle PHI on behalf of covered entities are also subject to OCR enforcement after the HITECH Act expanded direct BA liability.

What information OCR needs

A complaint does not require legal citations or formal language, but it should include enough detail to let OCR determine whether the situation falls within its jurisdiction and warrants investigation. Useful information includes:

• the name and address of the covered entity or business associate
• a clear description of what happened and when
• the names of any staff members involved, if known
• any supporting documentation - denial letters, emails, medical billing statements, screenshots

If you have documentation of the date the violation occurred or the date you first learned about it, include that. The 180-day filing deadline runs from the earlier of those two dates.

How to file online

The fastest filing method is the OCR Complaint Portal at ocrportal.hhs.gov. After creating an account, select “File a Complaint” and complete the Health Information Privacy Complaint form. The portal accepts attachments. You receive an email acknowledgement immediately upon submission.

How to file by mail or fax

Download HHS Form OCR-800 from hhs.gov/hipaa/filing-a-complaint. Complete it and mail or fax it to the OCR regional office that covers the state where the covered entity operates. Regional office contact information is at hhs.gov/ocr/about-us/regional-offices.

After the complaint is filed

OCR reviews the complaint for jurisdiction. If it is accepted, OCR notifies the covered entity and begins collecting information from both parties. Most investigations are resolved through informal resolution, a corrective action plan (CAP), or a resolution agreement. Civil monetary penalties under 45 CFR 160.404 are reserved for cases where OCR finds willful neglect or the covered entity refuses to cooperate.

OCR publishes summaries of closed enforcement actions on its website, which gives covered entities a practical window into what patterns of conduct draw scrutiny.

For small clinics: what this means in practice

If a patient contacts your clinic saying they intend to file an OCR complaint, the appropriate response is cooperation - not delay. OCR can open a compliance review whether or not a specific complaint exists. A clinic that has documented its policies, maintains an incident register, and can produce a completed four-factor breach risk assessment is in a much stronger position than one that is reconstructing its response from memory.

You can also review the four-factor breach risk assessment to understand the documentation OCR will want to see if it investigates a breach at your clinic.

For breach notification timing requirements, see HIPAA breach notification timelines.