Skip to main content
U.S. flag

An official website of the United States government

Return to Search

What to Expect when filing a complaint

This is an explanation of OCR's HIPAA complaint process. This information is intended for all audiences.

Final

Issued by: Office for Civil Rights (OCR)

Issue Date: June 27, 1905

What to Expect

You may file a health information privacy and security complaint with the Office for Civil Rights (OCR) if you feel a covered entity or business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security or Breach Notification Rules.

How OCR Investigates a Health Information Privacy and Security Complaint

OCR carefully reviews all health information privacy and security complaints. Under the law, OCR only may take action on complaints if:

  • Your rights were violated by a covered entity or business associate
  • You file your complaint within 180 days of the violation

What Happens After the Investigation

At the end of the investigation, OCR issues a letter describing the resolution of the investigation.

If OCR determines that a covered entity or business associate may not have complied with the HIPAA Rules, that entity or business associate must:

  • Voluntarily comply with the HIPAA Rules
  • Take corrective action
  • Agree to a settlement

If the covered entity or business associate does not take satisfactory action to resolve the matter, OCR may decide to impose civil money penalties (CMPs) on the covered entity. If CMPs are imposed, the covered entity may request a hearing in which an HHS administrative law judge decides if the penalties are supported by the evidence in the case.

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.