How to Report a HIPAA Violation: The Complete Guide

August 5, 2025

The Health Insurance Portability and Accountability Act (HIPAA) protects your private health information from being accessed or shared by unauthorized people. But what happens when someone breaks these rules?

In 2023, the U.S. experienced a significant number of healthcare data breaches, with over 725 large-scale incidents reported, affecting approximately 133 million individuals. If you believe that your health information has been mishandled or shared inappropriately, it’s important to know that you can take action. Reporting a HIPAA violation is the best way to ensure your privacy is protected and that healthcare providers are held responsible for keeping your information safe.

In this guide, we’ll walk you through what a HIPAA violation is, how to gather the right information, and the steps you need to file one. By the end, you’ll know exactly how to report HIPAA violations.

What Is a HIPAA Violation?

A HIPAA violation occurs when a healthcare provider, business associate, or any covered entity fails to comply with HIPAA rules. These rules ensure that patients’ protected health information (PHI) remains confidential. PHI includes anything that can identify a patient, like their name, medical history, or social security number. Here are some common examples of HIPAA violations:

1. Unauthorized Access: When someone views patient information without permission.
2. Data Breaches: When patient information is exposed due to poor security measures.
3. Improper Disposal of Records: Throwing away medical records without shredding them.
4. Failure to Obtain Consent: Sharing patient information without consent for purposes outside of treatment, payment, or operations.
5. Inadequate Training: When staff are not properly trained on HIPAA regulations and security protocols.

When Should You Report a HIPAA Violation?

If you think a HIPAA violation has occurred, it’s important to report it as soon as possible. Reporting early can prevent more harm, especially if sensitive patient information has been shared or mishandled. The longer you wait, the more risk there is for personal health information to be exposed, which could hurt patients or lead to misuse of their data. 

Here are some common situations where you should report a HIPAA violation:

1. If you overhear healthcare workers discussing a patient’s private medical details in hallways, waiting rooms, or elevators, it’s a violation.
2. If you are sent someone else’s medical records by mistake, the healthcare provider has violated privacy rules, and it should be reported.
3. If someone who shouldn’t have access to patient information is viewing or using it, this is a serious violation.
4. If you see patient information shared on social media without consent, it’s a clear violation of HIPAA laws.
5. If healthcare workers are not following proper steps to protect private medical information, like leaving patient files out in the open, it should be reported.

Reporting HIPAA violations as soon as you spot them can help you protect patient privacy and ensure that healthcare providers are held responsible for keeping information safe.

How to Gather Information Before Reporting

Before reporting a HIPAA violation, it’s important to gather as much information as possible. The more details you have, the easier it will be for investigators to handle the case.

1. Document the Incident: Write down what you observed, the date and time, and any individuals involved. Take note of the specific information that was exposed or mishandled.
2. Collect Evidence: If you have access to any physical or digital proof, such as emails, photos, or records, keep them safe. However, avoid taking unauthorized copies of patient information.
3. Identify Witnesses: If anyone else saw the violation occur, try to get their statements or contact information.
4. Stay Confidential: Do not share this information with others unnecessarily, as doing so could further breach privacy rules.

Having accurate information helps build a stronger case and allows the issue to be resolved more quickly.

Where to Report a HIPAA Violation

Before learning how to report HIPAA violations, let’s see where to file them. Depending on the nature of the violation and your role (as an employee, patient, or third party), you can report HIPAA violations to different authorities. 

Report to Your Employer (If Applicable)

If you are an employee of a healthcare organization and you witness a HIPAA violation, you should first report it to your employer. Most healthcare organizations have a compliance officer or designated person to handle HIPAA concerns. Check your company’s policy to understand the internal reporting procedures.

Report to the U.S. Department of Health and Human Services (HHS)

The Office for Civil Rights (OCR) within the Department of HHS makes sure HIPAA is followed. If you are not comfortable reporting internally or believe the violation is significant, you can file a complaint with the OCR. Here’s how you can do that:

• Visit the OCR complaint portal and fill out the required details.
• Send a written complaint to the OCR office. Include all necessary details, such as the date of the violation and the individuals or organizations involved.
• You can also send a complaint via email or fax to the OCR.

Report to State Attorney General’s Office

Some states have their  laws for protecting patient privacy, which may be stricter than HIPAA. You can also report a violation to your state’s Attorney General if you believe state privacy laws have been broken.

File a Whistleblower Report

If you are an employee and fear retaliation for reporting a HIPAA violation, you can file a whistleblower report. This ensures that your identity is protected and that your employer cannot legally punish you for reporting the violation.

Steps to File a HIPAA Complaint with OCR

Reporting HIPAA violations with the Office for Civil Rights (OCR) is a fairly simple process. Still, it’s important to make sure you follow the steps correctly to ensure your complaint is taken seriously and processed without delays.

1. Submit the Complaint Within 180 Days

You must file your complaint within 180 days of discovering the HIPAA violation. This means that as soon as you realize your or someone else’s medical information has been mishandled, you should take action quickly. If the violation occurred more than six months ago, the OCR might not accept your complaint unless you can provide a valid reason for the delay. So, it’s best not to wait too long to file.

2. Provide Detailed Information

When you file your complaint, be prepared to provide as much detail as possible. This will help the OCR understand what happened and investigate the violation properly. The information you’ll need to include:

1. Your name and contact information so that the OCR can reach out to you if they need more details.
2. The name of the organization or individual responsible for the violation. This could be a hospital, doctor’s office, or healthcare provider.
3. A description of the violation, including when it happened (dates and times), where it happened, and who was involved.
4. Any evidence or documentation you have that supports your claim, such as emails, letters, or other documents.

3. Submit the Complaint Online or via Mail

Once you’ve gathered all the necessary information, you can file your complaint either online using the OCR’s complaint portal or by sending your complaint through the mail. Make sure to double-check all the details before submitting to avoid any mistakes that could slow down the process.

4. Await a Response

After you submit your complaint, the OCR will review the information you provided. They may reach out to you for additional details. If they determine that a HIPAA violation has occurred, they will start an investigation. This may take some time, so be patient while they work on your case.

Read More: What Are the Consequences of a HIPAA Violation?

What Happens After a Complaint Is Filed?

After you file a complaint with the Office for Civil Rights (OCR), they follow a step-by-step process to investigate the issue. These steps include:

1. Reviewing the Complaint

First, the OCR will review your complaint to see if it meets the necessary criteria under HIPAA regulations. If the complaint is not valid or doesn’t fall under HIPAA rules, it will be dismissed, and you will be informed.

2. Investigating the Complaint

If the complaint is valid, the OCR will begin an investigation. They will gather evidence, interview relevant individuals, and examine whether the organization in question followed HIPAA guidelines. The organization will also have a chance to provide its response during the investigation.

3. Resolution Process

If the OCR finds a violation has occurred, they will take corrective action. This could include:

1. Corrective Action Plans: The organization may need to update its privacy or security practices.
2. Fines and Penalties: Depending on the severity, the OCR can impose fines ranging from thousands to millions of dollars.
3. Criminal Charges: In extreme cases, such as when patient information is sold, the case may be referred to the Department of Justice for possible criminal prosecution.

4. Case Closure

Once the investigation is completed and any necessary actions are taken, the case is closed, and you will be informed of the outcome.

How to Protect Yourself from HIPAA Violations

Whether you work in healthcare or are a patient, it’s important to understand HIPAA rules to prevent violations and protect personal health information. Now that we know how to report HIPAA violations, let’s see how to protect ourselves from them. 

For Healthcare Employees

If you work in a healthcare setting, always follow the HIPAA training your organization provides. This training teaches you how to handle patient information safely. Never discuss private medical details in public areas like hallways or elevators where others can overhear. 

Keep all medical records, whether paper or electronic, secure. Only access patient information if necessary for your job, and avoid sharing patient details with anyone who isn’t authorized to know.

For Patients

As a patient, you must know your privacy rights. You have the right to ask healthcare providers how your information will be used and who will have access to it. Don’t hesitate to ask questions if you’re unsure about how your health data is being handled. 

If you notice anything that doesn’t seem right, such as receiving someone else’s records or improper handling of your data, report your concerns to the healthcare provider.

Read More: What is HIPAA Certification?

Take Action to Protect Your Privacy!

Learning how to report HIPAA violations is an important step to protecting not only your personal health information but also the privacy of others. Failure to follow HIPAA rules can lead to serious consequences for anyone handling patient data. 

Remember, you have the right to feel safe knowing that your medical records and personal details are being handled properly. If you ever suspect that your information has been exposed, don’t hesitate to take action. Protecting your health information is everyone’s responsibility, and by taking the right steps, you can play a key role in keeping your private details secure.

If you work with personal health information, understanding HIPAA training protects privacy and compliance. Take the first step towards this. Sign up for HIPAA training now!