Skip to main content
PHIGuard logo

How to Report a HIPAA Violation: Two Processes, Explained

Last updated: March 21, 2026

TLDR

Reporting a HIPAA violation means different things depending on which direction you're facing. If you witnessed a violation by another entity, you file a complaint with OCR at ocrportal.hhs.gov within 180 days. If your practice experienced a breach, you have separate notification obligations — to affected individuals and HHS — with timelines that depend on breach size. Small breaches still require a written breach log even if they don't trigger individual notifications.

Two Types of HIPAA Violation Reports

The phrase “reporting a HIPAA violation” covers two distinct situations that have different processes, deadlines, and consequences.

Reporting a violation you witnessed means filing a complaint with the Office for Civil Rights (OCR) at HHS about a covered entity or business associate you believe violated HIPAA. You are the complainant. The practice or organization is the subject of investigation.

Reporting a breach your practice experienced means fulfilling your obligations as a covered entity under the Breach Notification Rule. Your practice experienced or discovered an incident involving PHI, and you must notify the affected individuals, HHS, and potentially the media.

Both are covered below.

How to Report a HIPAA Violation to OCR

If you witnessed, experienced, or have reason to believe a HIPAA violation occurred — whether as a patient, an employee, or a third party — you can file a complaint directly with OCR.

Where to file: ocrportal.hhs.gov — the HHS Complaint Portal. The process is fully online, free, and does not require legal representation.

What to include in the complaint:

  • The name and location of the covered entity or business associate involved
  • A description of the acts or omissions you believe violated HIPAA
  • The approximate date when the violation occurred or when you discovered it
  • Your contact information (optional if filing anonymously, but OCR may have limited investigative capacity without it)

Deadline: 180 days from the date you knew or should have known about the violation. This deadline applies even if the violation is ongoing. OCR has discretion to waive the deadline for good cause, but do not rely on this.

Retaliation is prohibited. HIPAA prohibits covered entities from retaliating against individuals who file complaints with OCR. If you experience retaliation after filing, that is itself a reportable violation.

How to Report a Breach Your Practice Experienced

If your practice discovers a breach of unsecured PHI — a staff member sending records to the wrong patient, a device with unencrypted PHI being lost, unauthorized access to patient records — you have mandatory reporting obligations under the Breach Notification Rule.

Step 1: Assess whether it’s a reportable breach. Not every incident is a breach. The Breach Notification Rule applies to breaches of unsecured PHI — PHI that has not been encrypted to HHS standards. A lost device with encrypted data is generally not a reportable breach.

Step 2: Document the incident immediately. Log the date discovered, nature of the PHI involved, how many individuals may be affected, what PHI categories were exposed, and any immediate corrective actions taken. This log is required regardless of breach size.

Step 3: Notify affected individuals. Written notification to each affected individual is required within 60 days of discovering the breach. Notification must include a description of what happened, the types of PHI involved, steps individuals can take to protect themselves, and the practice’s contact information.

Step 4: Notify HHS.

  • Breaches affecting 500 or more individuals: notify HHS within 60 days of discovering the breach, via the HHS breach reporting portal.
  • Breaches affecting fewer than 500 individuals: log the breach, then submit to HHS no later than 60 days after the end of the calendar year (effectively, by March 1 of the following year).

Step 5: Notify media (if applicable). If the breach affects 500 or more individuals within a single state or jurisdiction, you must notify prominent media outlets in that area within 60 days. This is a separate requirement from the HHS notification.

Common mistake: practices log large breaches but don’t maintain a breach log for small incidents. Every breach — including a single misdirected email — must be documented, even if it affects only one patient.

What Happens After You File a Complaint

OCR’s process has five stages:

  1. Initial review. OCR determines whether the complaint is within its jurisdiction (the entity is a covered entity or business associate, HIPAA applies, the complaint is timely).

  2. Investigation. OCR notifies the covered entity and requests documentation. Both parties may be asked to provide information. OCR may conduct interviews or on-site visits for serious allegations.

  3. Determination. OCR concludes whether a violation occurred. Many cases end here with a finding of no violation or a finding that the entity has already corrected the issue.

  4. Corrective action or resolution. If a violation is found, OCR typically seeks voluntary compliance — a corrective action plan requiring the entity to address the deficiency and report progress. OCR may also issue a resolution agreement, which is a settlement with specific compliance obligations.

  5. Civil monetary penalties. If an entity refuses to cooperate or correct violations, OCR can impose formal penalties. This is less common than corrective action, but it occurs.

Most investigations resolve within 1-3 years, depending on complexity. Serious or systemic violations take longer.

Documenting Violations Before They Become Breaches

Not every incident crosses the threshold of a reportable breach. A staff member accessing a record they shouldn’t have, or a near-miss where PHI was almost sent to the wrong person, may not meet the technical definition of a breach — but it still needs to be documented.

Maintaining an incident log that captures near-misses and minor violations gives your practice two advantages: (1) it shows a functioning compliance program if OCR ever investigates, and (2) it helps you identify patterns before they become systemic problems.

PHIGuard includes an incident log and breach documentation workflow. When a staff member reports an incident, the platform records the date, nature of PHI involved, individuals affected, and corrective actions taken. For breaches that require HHS reporting, the timeline tracker shows the 60-day deadline and where you are in the notification process. Practice plan is $20/month for practices up to 10 staff; Clinic is $49/month for up to 25 staff.

Like what you're reading?

Try PHIGuard free — no credit card required.

DEFINITION

Breach Notification Rule
A HIPAA rule requiring covered entities to notify affected individuals, HHS, and sometimes the media following a breach of unsecured protected health information. Notification timelines and recipients depend on the number of individuals affected.

DEFINITION

Unsecured PHI
Protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through encryption or destruction per HHS-specified standards. Only breaches of unsecured PHI trigger the Breach Notification Rule.

DEFINITION

Breach Log
A required written record that covered entities must maintain of all breaches of unsecured PHI affecting fewer than 500 individuals. The log must include the date of the breach, nature of the PHI involved, who accessed it, what corrective actions were taken, and the number of individuals affected.

Q&A

How do you report a HIPAA violation to OCR?

Submit a complaint to the HHS Office for Civil Rights through the online portal at ocrportal.hhs.gov. The complaint must be filed within 180 days of when you discovered or should have discovered the violation. You will need to identify the covered entity involved, describe the violation, and provide your contact information (unless filing anonymously). There is no fee to file.

Q&A

What are the HIPAA breach notification requirements for a small practice?

A small practice that experiences a breach must: (1) notify affected individuals in writing within 60 days of discovering the breach; (2) notify HHS via the breach reporting portal — within 60 days if the breach affects 500 or more individuals, or by March 1 of the following year for smaller breaches; (3) notify prominent media outlets in affected states if the breach affects 500 or more individuals in that state. All breaches, regardless of size, must be logged in the practice's breach log.

Q&A

What happens after you file a HIPAA complaint with OCR?

OCR reviews the complaint to determine whether it has jurisdiction and whether the allegations, if true, would constitute a violation. If accepted for investigation, OCR notifies the covered entity, collects information from both parties, and makes a determination. Most complaints are resolved through voluntary corrective action agreements. If violations are confirmed and the entity fails to correct them, OCR may impose civil monetary penalties.

Want to learn more?

Learn More
How do I report a HIPAA violation to the government?
File a complaint through the HHS Office for Civil Rights complaint portal at ocrportal.hhs.gov. The process is free and can be done anonymously. Complaints must be filed within 180 days of when you knew or should have known about the violation.
What is the deadline to file a HIPAA complaint with OCR?
180 days from the date you discovered or should have discovered the violation. OCR may grant a waiver of this deadline for good cause, but complainants should not rely on this.
Does a small breach (fewer than 500 patients) still need to be reported?
Yes — to HHS, but not necessarily to the media. Breaches affecting fewer than 500 individuals must be logged in the practice's breach log and reported to HHS no later than 60 days after the end of the calendar year in which the breach occurred. Individual notification to affected patients is still required.
Can I report a HIPAA violation anonymously?
Yes. The OCR complaint portal allows anonymous submissions, but OCR notes that it may have limited ability to investigate if it cannot contact the complainant for additional information.
Do I need a lawyer to file a HIPAA complaint?
No. The OCR complaint process is designed for direct public use. The portal at ocrportal.hhs.gov walks through the required information step by step. Legal counsel is advisable if you are the entity being investigated — not the complainant.

Keep reading

What Is a HIPAA Violation? Definition, Types, and Consequences

A HIPAA violation occurs when a covered entity or business associate fails to comply with the Privacy Rule, Security Rule, or Breach Notification Rule. Here's what that means in practice for small medical clinics.

10 HIPAA Violation Examples Small Practices Actually Encounter

Real HIPAA violation examples that small medical practices run into — from emailing PHI to the wrong patient to using task management tools without a BAA. What each one means and how to avoid it.

Best HIPAA Compliance Software for Small Medical Practices (2026)

We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.