Filing a HIPAA complaint

The Health Insurance Portability and Accountability Act (HIPAA) was created to safeguard sensitive patient information and ensure healthcare organizations handle protected health information (PHI) responsibly. When these protections are violated, patients and employees have the right to report concerns through a HIPAA complaint.

Understanding these rights and knowing how to respond to a suspected violation empowers individuals to help protect the privacy, security, and integrity of confidential medical information.

Patient rights under HIPAA

HIPAA gives patients important rights over their PHI. These rights are intended to ensure that individuals have greater transparency and control over how their medical information is collected, used, stored, and shared. According to the U.S. Department of Health and Human Services (HHS), “The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other individually identifiable health information.” This protection applies to information in any format, including electronic, paper, and oral communications. Patient rights under HIPAA include:

• The right to access medical records: Patients have “a right to inspect and get a copy of their health records and other health information.”
• The right to request corrections: Individuals can ask healthcare providers to amend inaccurate or incomplete medical information.
• The right to receive a Notice of Privacy Practices: Healthcare organizations must explain “how the covered entity may use and disclose protected health information.”
• The right to request confidential communications: Patients can request that providers communicate through alternative methods or locations for privacy purposes.
• The right to limit certain disclosures: Individuals may request restrictions on how their PHI is used or shared.
• The right to file a complaint: Patients can report suspected HIPAA violations without fear of retaliation.
  
  

The patient's right to file a HIPAA complaint

When an individual believes that their privacy rights have been violated, HIPAA affords them the right to file a complaint. The HHS states that individuals can file a complaint if they believe a covered entity or business associate “violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules.”

Complaints can be submitted directly to the OCR online, by mail, or by email. HHS notes that complaints should generally be filed within 180 days of when the individual became aware of the issue, although extensions may be granted for good cause.

Importantly, HIPAA protects individuals from retaliation for reporting concerns. According to HHS guidance, covered entities “may not retaliate against you for filing a complaint.” This safeguard encourages patients, employees, and whistleblowers to report suspected violations without fear of intimidation or discrimination.

Filing a HIPAA complaint improves healthcare privacy practices by identifying compliance gaps, reinforcing accountability, and encouraging healthcare organizations to establish stronger safeguards for sensitive patient information.

Go deeper: What are patient rights under HIPAA?

Identifying potential violations

Patients should recognize instances that might constitute a HIPAA violation. These can include unauthorized disclosure of medical records, improper access to health information, or instances where PHI is used inappropriately. Understanding what qualifies as a breach is the first step in addressing the issue.

Related: What are the consequences of not complying with HIPAA?

Steps to filing a HIPAA complaint

Anyone can file a complaint regarding potential violations of the HIPAA Privacy, Security, or Breach Notification Rules. According to HHS, the steps to filing a complaint are as follows:

Determine whether the organization is covered by HIPAA

Before filing a complaint, confirm that the organization involved is required to comply with HIPAA. HHS states that covered entities include "doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, dentists, health insurance companies, company health plans, Medicare, Medicaid, and other government programs that pay for health care.”

The OCR can only investigate complaints involving organizations that fall under HIPAA regulations.

Gather information about the incident

Patients should collect as much information as possible about the suspected violation. According to HHS, complaints should include:

• The name of the healthcare organization or provider
• A description of what happened
• When the incident occurred
• Any relevant documents or evidence

HHS explains that complaints must “describe the acts or omissions” believed to have violated HIPAA requirements.

File the complaint within the required timeframe

HIPAA complaints generally must be filed within 180 days of when the individual became aware of the violation. However, OCR may extend this deadline if “good cause” is shown for the delay.

Submit the complaint

HHS notes that complaints must “be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal.” When filing online, individuals may need to provide:

• Personal contact information
• Details about the complaint
• Supporting information or documentation
• An electronic signature and consent form

Cooperate with the investigation process

After receiving a complaint, OCR reviews the information to determine whether an investigation is appropriate. According to HHS, OCR may require organizations to:

• “Take corrective action”
• “Voluntarily comply”
• Agree to settlements or penalties

At the end of the process, OCR issues a letter explaining the outcome of the investigation.

Filing a HIPAA complaint via email

The study titled ‘Change in Patient Perceptions of Electronic Communication Methods for an Orthopaedic Fracture Clinic Between 2019 and 2024’ found that, “The proportion of participants preferring email communication increased significantly from 68.89% in 2019 to 80.61% in 2024.” This growing preference shows how email has become an increasingly accepted communication channel for patients in healthcare settings. Given this shift, patients may also find email a practical option when submitting HIPAA complaints.

When submitting a HIPAA complaint via email, patients should include:

• Their full name and contact details
• The name of the healthcare provider, insurer, or organization involved
• A clear description of the suspected HIPAA violation
• Relevant dates and timeline of events
• Any supporting documentation (such as screenshots, emails, or letters)

Including detailed and accurate information helps the Office for Civil Rights assess the complaint more efficiently and determine whether further investigation is required.

Since HIPAA complaints may contain sensitive personal health information, it is important to consider email security when submitting them. Using a secure email solution, such as Paubox, can help ensure that sensitive information is transmitted safely. Secure, encrypted email platforms reduce the risk of unauthorized access and support safer communication when sharing PHI or sensitive complaint details.

Go deeper: How to File a Health Information Privacy or Security Complaint

FAQS

What are common examples of HIPAA violations?

Common examples include:

• Unauthorized access to medical records
• Sharing PHI without consent
• Sending unencrypted medical information
• Discussing patient information publicly
• Losing devices containing PHI
  
  

Can patients file a complaint anonymously?

While complaints typically require contact information, individuals may request confidentiality during the investigation process.

Will patients be informed about the outcome of their complaint?

The OCR typically notifies complainants about whether the complaint was accepted, investigated, or resolved.

What happens if a HIPAA violation is confirmed?

Organizations may be required to implement corrective actions, update policies, retrain staff, or face financial penalties depending on the severity of the violation.