How Is a Complaint Filed Under the HIPAA Act?


The Department of Health and Human Services (HHS), which administers the HIPAA Act and regulations, allows individuals to file health information privacy complaints online. The HIPAA Act and regulations contain a mechanism for employees of covered entities and business associates to file a complaint about a suspected HIPAA violation. An individual can file this complaint with the Office for Civil Rights (OCR) portal. You might be wondering how to file a HIPAA complaint form. Continue reading to find out how you can make a HIPAA compliance complaint!

What Complaint Information Must I Provide Under the HIPAA Act?

Employees who wish to file a health information complaint under the HIPAA Act may do so through the OCR complaint portal, when figuring out how to file a HIPAA complaint form. When an employee enters the portal, he or she will be asked to provide specific information, including:

  • Employee contact information, including name, address, telephone number, and email address
  • Details of the complaint
  • Any additional information the employee wishes to add

Are you following HIPAA law? Find out if your compliance program would hold up in court!

Under the HIPAA Act, Should an Employee File a Complaint Internally First?

When a healthcare employee suspects a violation of the HIPAA Act, the employee can first attempt to report the HIPAA Act violation to a supervisor, or the organization’s Privacy Officer or overall Compliance Officer. After the complaint is made, the organization has a duty to investigate the HIPAA Act complaint internally, and to then render a decision about whether the individual’s complaint constitutes a reportable breach under the HIPAA breach notification rule.

Under the HIPAA Act, once the healthcare provider has investigated the complaint, the organization must then determine whether the breach must be reported to OCR.  Under the HIPAA Act, there are three “accidental disclosure” exceptions. The three exceptions under which a breach need not be reported to OCR are:

  1. When there has been an unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if the acquisition, access or use:
    • Was made in good faith; and
    • Was made within the scope of authority.
  2. When there has been an inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate, to another person authorized to access PHI at the covered entity or business associate.
  3. When the covered entity (or business associate) has a good faith belief that the unauthorized person to whom the impermissible PHI disclosure was made would not have been able to retain that information.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

Under the HIPAA Act, What Can an Employee Do if the Organization Won’t Investigate?

While employees may report suspected breaches to their employer, as discussed above, this is not a HIPAA Act requirement. The HIPAA Act permits employees to bypass notifying the covered entity and file a HIPAA complaint with OCR directly, through the OCR portal. In addition, an employee may file the complaint with OCR if the employer refuses to act on or investigate a complaint the employee filed with the employer. 

In any event, an employee should file a complaint with OCR within 180 days of the violation being discovered, although in certain cases, OCR may grant an extension of the filing deadline. 

All complaints will be read and assessed, and investigations into HIPAA complaints will be launched if HIPAA rules are suspected of being violated and the complaint is submitted inside the 180-day timeframe.

Under the HIPAA Act, Can A Complaint be Filed Anonymously?

One persistent myth about the HIPAA Act is that under the HIPAA Act, an individual may not only file a complaint anonymously, but may, as an anonymous individual, have that complaint investigated. This is not the case. While an individual may submit a complaint anonymously, 

OCR will not investigate any HIPAA complaint if a name and contact information is not supplied.

That said, an individual seeking to file a complaint may worry that, if he or she gives consent to OCR to reveal his or her identity for investigation purposes, he or she may face retaliation from an employer.

OCR recommends that, to ensure a complaint is investigated, and to protect oneself from retaliation, an individual should supply his or her name and contact details and deny OCR consent to reveal their identity or identifying information about them. A consent form is included at the bottom of the complaint form for this purpose. If an individual denies consent, OCR will withhold personal information from the covered entity or business associate if the complaint is investigated.

Providing OCR with one’s contact information, while at the same time denying OCR consent to reveal identifying information, allows OCR to investigate a complaint. If an individual files a complaint anonymously, the entity whom the individual accused of a HIPAA violation will not be investigated and therefore will likely go unpunished.

Protect Against HIPAA Fines

Compliant organizations don’t get fined. Become compliant today!