HIPAA Complaint: How to File, What to Expect, and How to Protect Your Rights

A hipaa complaint is a formal allegation submitted to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) when an individual believes that a covered entity or business associate has violated the Health Insurance Portability and Accountability Act. These complaints are one of the primary enforcement mechanisms built into HIPAA, allowing patients, employees, and other affected parties to report privacy breaches, security failures, and discrimination related to protected health information (PHI). Understanding how this process works is essential for anyone whose medical data may have been mishandled.

Every year, the OCR receives tens of thousands of HIPAA complaints from across the United States. In fiscal year 2023 alone, OCR received more than 46,000 complaints, a figure that has grown steadily as awareness of patient rights has increased. Not every complaint results in a formal investigation or penalty, but each one is reviewed to determine whether the alleged conduct falls within HIPAA's jurisdiction and whether there is sufficient evidence to pursue corrective action. The sheer volume of complaints underscores how seriously Americans take their health information privacy.

HIPAA complaints can cover a wide range of alleged violations. Common grievances include healthcare providers sharing PHI without patient authorization, health plans disclosing records to unauthorized third parties, covered entities failing to honor patients' rights to access or amend their own records, and organizations neglecting to implement adequate security measures to protect electronic PHI. Each of these situations can form the basis of a valid complaint if the alleged conduct involves a covered entity subject to HIPAA rules.

Filing a HIPAA complaint is not the same as filing a lawsuit. HIPAA does not provide individuals with a private right of action, meaning patients cannot personally sue a covered entity for a HIPAA violation in federal court based solely on HIPAA law. Instead, the OCR investigates complaints and may impose civil monetary penalties, require corrective action plans, or refer egregious cases to the Department of Justice for criminal prosecution. Understanding this distinction helps complainants set realistic expectations before beginning the process.

One of the most critical requirements for filing a valid HIPAA complaint is the 180-day deadline. Complainants must submit their complaint to OCR within 180 days of the date they knew or should have known about the alleged violation. OCR has the authority to waive this deadline for good cause, but failing to file in time is one of the most common reasons complaints are dismissed without investigation. Keeping careful records of when you discovered the violation and when you took action is therefore extremely important.

Beyond federal complaints filed with OCR, some states have enacted their own health privacy laws that may provide additional remedies or different filing procedures. California's Confidentiality of Medical Information Act (CMIA), for example, allows individuals to sue for damages in state court under certain circumstances. Knowing both your federal HIPAA rights and any applicable state protections gives you the most complete picture of your options when PHI has been improperly disclosed or handled.

This guide walks through every stage of the HIPAA complaint process, from identifying a potential violation and gathering documentation, to filing your complaint online or by mail, understanding what OCR does with your submission, and knowing what outcomes are possible. Whether you are a patient whose records were shared without consent, an employee who witnessed a privacy breach, or a compliance professional building your team's knowledge base, this comprehensive overview will give you the tools to navigate the process with confidence.

Understanding who is eligible to file a HIPAA complaint is the first step toward exercising your rights effectively. Any individual who believes their health information privacy has been violated — or who has witnessed a violation affecting others — may submit a complaint to OCR. This includes patients, former patients, personal representatives acting on behalf of deceased individuals, employees of covered entities who have witnessed internal violations, and even third parties who have been improperly given access to someone else's PHI without that person's knowledge or consent.

Complaints may be filed by the individual directly affected by the alleged violation or by someone acting on their behalf. A personal representative — defined under HIPAA as someone with legal authority to make healthcare decisions for another person — can file on behalf of a patient who is incapacitated, a minor child, or a deceased individual.

Parents generally have the right to file on behalf of their minor children, though some exceptions apply when state law grants the minor the right to control their own health information, such as in cases involving reproductive healthcare, mental health treatment, or substance abuse services.

Employees who witness HIPAA violations within their organization also have standing to file complaints, and HIPAA's anti-retaliation provisions explicitly protect whistleblowers from termination, demotion, or other adverse employment actions taken in response to a good-faith complaint. This protection extends throughout the complaint and investigation process, and organizations that retaliate against complainants face their own separate HIPAA enforcement actions. Healthcare workers concerned about internal privacy practices should document everything carefully and consider consulting an employment attorney before filing.

There is no requirement that the complainant have suffered direct harm as a result of the alleged violation. OCR investigates alleged violations regardless of whether the complainant can demonstrate specific damages. This differs significantly from civil tort law, where proving actual harm is typically required to win a lawsuit. The focus of OCR enforcement is on whether a covered entity or business associate violated HIPAA's requirements, not on whether that violation caused measurable injury to a specific individual.

Covered entities subject to HIPAA complaints include health plans such as employer-sponsored insurance, Medicare, Medicaid, and individual market plans; healthcare providers who transmit health information electronically, including hospitals, physician offices, clinics, pharmacies, and nursing homes; and healthcare clearinghouses. Business associates — third-party vendors who handle PHI on behalf of covered entities, such as billing companies, IT vendors, and cloud storage providers — can also be named as respondents in HIPAA complaints since the 2013 Omnibus Rule made them directly liable for compliance.

One important limitation: HIPAA complaints must be filed against covered entities or business associates, not against private individuals who happen to receive or share medical information outside of any professional healthcare context. If a neighbor shares information about your health condition that they overheard from a conversation, that is generally not a HIPAA violation because the neighbor is not a covered entity. HIPAA governs the conduct of organizations operating in the healthcare system, not private individuals acting in personal capacities, a distinction that sometimes surprises complainants unfamiliar with the law's scope.

Individuals who are unsure whether their situation involves a covered entity can use OCR's online resources or call the OCR complaint hotline for guidance before filing. OCR staff can help you determine whether the entity you are complaining about falls under HIPAA's jurisdiction and whether the alleged conduct would potentially constitute a violation. This preliminary step can save considerable time and ensure that your formal complaint, once filed, is directed at the right respondent and addresses the right legal provisions.

Once OCR receives your complaint, it begins a structured intake and review process to determine how to proceed. During intake, an OCR coordinator reviews the complaint to confirm that it meets the basic jurisdictional requirements: the respondent must be a covered entity or business associate, the alleged conduct must fall under HIPAA's provisions, and the complaint must have been filed within the applicable time limit. Complaints that fail any of these threshold requirements are typically dismissed and the complainant is notified of the reason for dismissal.

If the complaint passes the initial jurisdictional review, OCR moves to a more detailed evaluation phase to determine whether the allegations, if true, would constitute a HIPAA violation and whether the complaint merits a full investigation. OCR uses a priority system to triage the thousands of complaints it receives annually, focusing investigative resources on cases involving the most serious violations, systemic patterns of noncompliance, and large numbers of affected individuals. Single-incident complaints involving relatively minor violations are more likely to be resolved through informal technical assistance than through formal investigation.

When OCR opens a formal investigation, it notifies both the complainant and the respondent. The respondent is given an opportunity to respond to the allegations, provide supporting documentation, and explain their policies and practices relevant to the complaint. OCR may request extensive documentation from the respondent, including copies of HIPAA policies and procedures, training records, audit logs, business associate agreements, and incident reports. This documentation review process can take several months, particularly for complex cases involving large healthcare organizations.

Throughout the investigation, OCR may conduct on-site visits to inspect the respondent's facilities and operations. These visits allow investigators to observe physical safeguards firsthand, interview staff, and examine security configurations that cannot be fully evaluated from paper records alone. On-site investigations are more common in cases involving large-scale breaches, repeated violations, or situations where the respondent's written responses appear inconsistent with the alleged facts. Respondents must cooperate fully with OCR investigations; obstruction can itself constitute a separate HIPAA violation.

OCR also has the authority to open compliance reviews of covered entities even in the absence of a complaint, though complaint-driven investigations remain the primary enforcement mechanism. In practice, large data breaches that are reported to OCR through the mandatory breach notification process often trigger investigations that parallel or follow any individual complaints received about the same incident. This means that a breach affecting thousands of patients may generate both a breach notification review and one or more individual complaints that are investigated simultaneously.

During the investigation process, OCR may attempt to resolve the matter through informal resolution and voluntary compliance. Many investigations conclude with the respondent agreeing to implement corrective measures, update policies, provide additional staff training, and sometimes pay a resolution amount as part of a Resolution Agreement. These negotiated settlements are the most common outcome of formal HIPAA investigations and allow covered entities to correct deficiencies without the full weight of a formal civil monetary penalty proceeding.

If voluntary compliance cannot be achieved, OCR has the authority to issue formal findings of HIPAA violations and impose civil monetary penalties. Penalties are structured in four tiers based on the level of culpability, ranging from $100 to $50,000 per violation for cases where the covered entity was unaware of the violation, up to $1.9 million per year for violations resulting from willful neglect that are not timely corrected. Understanding these penalty tiers helps complainants appreciate the seriousness with which OCR treats documented HIPAA violations and the significant financial consequences that can result from noncompliance.

The outcomes of HIPAA complaint investigations fall into several categories, and understanding each helps complainants know what to expect from the process. The most common outcome — accounting for the majority of OCR complaint closures — is resolution through technical assistance, where OCR determines that either no violation occurred or that a minor violation was corrected voluntarily once the covered entity became aware of the complaint. In these cases, OCR may provide guidance to the covered entity on improving their practices without imposing any formal penalty or requiring a corrective action plan.

A more significant outcome occurs when OCR finds evidence of a HIPAA violation and negotiates a Resolution Agreement with the covered entity. Resolution Agreements typically include three components: a financial settlement amount paid to HHS, a corrective action plan (CAP) outlining specific remedial steps the covered entity must take, and a monitoring period during which OCR tracks the covered entity's compliance with the CAP. Resolution Agreements are publicly announced by OCR and serve as powerful deterrents to other covered entities by signaling that noncompliance carries real financial consequences.

In the most serious cases, OCR may impose civil monetary penalties (CMPs) without reaching a negotiated settlement. CMPs are appropriate when covered entities demonstrate willful neglect of HIPAA requirements, refuse to cooperate with the investigation, or fail to reach voluntary compliance despite extended negotiations. CMPs can be substantial — multi-million dollar penalties have been levied against large health systems — and they are published publicly, creating significant reputational damage in addition to financial harm. The covered entity may appeal CMPs through an administrative law process.

Criminal referrals represent the most severe outcome of HIPAA enforcement and apply in cases involving intentional misuse of PHI for personal gain or malicious purposes. OCR can refer egregious cases to the Department of Justice, which may prosecute individuals under 18 U.S.C. § 1320d-6. Criminal HIPAA violations carry penalties ranging from up to one year in prison for knowingly obtaining PHI in violation of HIPAA, up to ten years for offenses committed with intent to sell or use PHI for commercial advantage, personal gain, or malicious harm. Criminal prosecutions are rare but are pursued in the most serious cases.

For complainants, one of the most important protections throughout this entire process is HIPAA's anti-retaliation provision. Section 164.530(g) of the Privacy Rule prohibits covered entities from intimidating, threatening, coercing, discriminating against, or taking other retaliatory action against individuals who exercise their rights under HIPAA, file complaints with OCR, or participate in an OCR investigation. This protection applies from the moment a complaint is filed through the conclusion of any investigation, and retaliation itself can become the subject of a separate HIPAA complaint and enforcement action.

If you believe you have experienced retaliation after filing a HIPAA complaint, document every incident immediately: record dates, times, descriptions of the retaliatory conduct, and the names of anyone who witnessed it. Report the retaliation to OCR promptly, referencing your original complaint number so investigators can connect the two matters. OCR takes retaliation complaints seriously and will investigate them on an expedited basis when credible evidence of retaliation is presented. You may also wish to consult an employment attorney who can advise on parallel remedies available under whistleblower protection statutes or state employment laws.

Beyond filing a federal HIPAA complaint, individuals who have suffered harm from a PHI breach should consider exercising all available parallel remedies. Some states — including California, Texas, and New York — have enacted strong health privacy laws that may allow civil lawsuits for damages in state court.

You should also request a free credit freeze if your Social Security number or financial information was exposed alongside your health records, monitor your explanation of benefits statements for signs of medical identity theft, and review your medical records for unauthorized entries that might indicate fraudulent use of your health information. Taking these protective steps simultaneously with filing your OCR complaint gives you the most comprehensive protection available under current law.

For healthcare professionals studying HIPAA compliance — whether preparing for a certification exam, onboarding to a new employer, or refreshing their knowledge after a policy update — understanding the complaint process from both sides of the equation is essential. As a patient, knowing how to file a complaint empowers you to protect your own health information. As a healthcare worker or administrator, understanding what triggers complaints and how OCR investigates them provides the clearest possible picture of where compliance gaps are most likely to create organizational exposure.

The most effective way to prevent HIPAA complaints from being filed against your organization is to build a genuine culture of privacy and security rather than treating compliance as a checkbox exercise. This means conducting regular and thorough risk assessments that identify vulnerabilities in how PHI is stored, transmitted, and accessed. It means providing training that goes beyond annual PowerPoint presentations and actually teaches employees how to recognize and respond to privacy risks in their day-to-day work. And it means establishing clear channels for employees to report potential violations internally before those violations escalate into formal OCR complaints.

When studying for HIPAA-related certifications or exams, pay particular attention to the distinctions between the Privacy Rule, Security Rule, and Breach Notification Rule, since each has different complaint triggers, investigation standards, and potential penalties. Understand the four-tier penalty structure and be able to describe the difference between violations due to lack of knowledge, reasonable cause, willful neglect that is corrected, and willful neglect that is not corrected. These distinctions frequently appear on certification exams and are essential for real-world compliance work.

Practice questions and mock exams are among the most effective tools for cementing your understanding of HIPAA complaint procedures. Active recall — the process of retrieving information from memory rather than simply re-reading it — has been shown in cognitive science research to produce significantly better long-term retention than passive review. When you practice answering scenario-based questions about HIPAA violations, you are not only testing what you know but also identifying the gaps in your understanding that need further study before exam day.

Focus particular attention on scenario-based questions that describe a specific situation and ask you to identify whether a HIPAA violation occurred, which rule was violated, what the appropriate complaint procedure would be, and what penalties might apply. These scenario questions are the hardest type on most HIPAA certification exams because they require you to apply legal knowledge to novel facts rather than simply recall a definition. The best preparation is to work through as many realistic scenarios as possible, ideally covering cases involving common violations like unauthorized disclosures, denied records access requests, and inadequate breach notifications.

Time management during HIPAA exams is another skill that practice tests help you develop. Many candidates know the material well in the abstract but struggle to answer accurately under timed conditions. Regular practice with timed question sets helps your brain retrieve HIPAA knowledge efficiently even under the mild cognitive pressure of exam conditions. Aim to complete practice questions at a pace of roughly 90 seconds per question to simulate real exam timing, and review every question you miss — not just to learn the right answer but to understand why your chosen answer was wrong.

Finally, stay current with OCR enforcement trends and recent HIPAA developments, since certification exams increasingly test practical, up-to-date knowledge rather than just foundational rules. OCR regularly publishes enforcement highlights, resolution agreements, and guidance documents on its website that describe real-world violations and the corrective actions that resolved them. Reading these materials alongside your formal study materials gives you both the theoretical framework and the practical context that will help you excel on any HIPAA-related assessment and apply what you have learned in your professional work.