How to report a HIPAA Violation? File a complaint now!

You might think small privacy lapses are harmless, but under HIPAA, they carry weight. A lab slip sent to the wrong person or overheard patient conversations count as violations, and you have the right to act.

Your complaint helps protect patients’ rights by preventing repeat mistakes and reminds organizations that privacy rules apply every day. Once you know the routes, you can report with confidence.

This guide will show you how to report a HIPAA violation, explain the 180-day deadline, and outline what happens after you file. The steps are straightforward, and the right tools make the process easier.

Here’s a quick version of what you came for: the three fastest HIPAA Violation reporting options. It tells you exactly where to file, what details matter, and how to document them, but keep reading further to avoid risking your complaint being rejected.

Quick answer: How to report a HIPAA violation promptly?

Filing a HIPAA complaint is more approachable than most people assume. You have three clear choices, and each works depending on your role and the type of violation you want to report.

1. File with HHS Office for Civil Rights (OCR)

The HHS Office for Civil Rights (OCR) is the federal agency that enforces HIPAA rules. The easiest route is the online complaint portal, which guides you through entering dates, naming the organization, describing what happened, and uploading proof.

File a Complaint Now!

2. Report internally to the Privacy Officer

If you are an employee or contractor, start by reporting through your organization’s Privacy Officer or compliance hotline. Internal reporting often resolves issues faster and documents that you followed official procedures.

3. File with State Attorney General or the FTC

Some violations are handled better at the state level or when health apps outside HIPAA are involved. State attorneys general enforce HIPAA locally, while the FTC handles personal health record vendors not covered by HIPAA.

Extra resources for you to use

You can also use the HIPAA violation reporting phone number (1-800-368-1019) or TTY (1-800-537-7697) if you prefer phone support. This is useful when you need help completing the OCR form.

The OCR phone number provides direct support with filing a HIPAA Complaint, while the OCR TTY is the same, but for hearing-impaired callers.

To further simplify reporting, make a complaint details worksheet to log the “who, what, when, and where” before filing.

With these three options, you can match your situation to the best reporting path.

Next, let’s look closely at what actually qualifies as a HIPAA violation so you can recognize which incidents are worth filing.

What counts as a HIPAA violation? Clear examples you can report

Understanding what actually qualifies as a HIPAA violation helps you decide when to act. Many incidents seem small, but if they involve protected health information being mishandled, they are worth reporting.

Everyday Privacy Rule slips

You may see staff gossiping about patients in hallways, medical records denied to a patient, or test results shared with family without consent. Each case breaks the HIPAA Privacy Rule and can be reported.

Security Rule issues

HIPAA requires technical safeguards, yet common lapses include unlocked workstations facing public areas, shared user logins, or missing auto-logoff settings. These risks expose electronic health records, and they count as HIPAA violations.

Breach Notification problems

When patient data is exposed, HIPAA requires timely breach notifications. If an organization delays notices, skips reporting to HHS, or fails to tell affected patients, you can report this as a violation.

Is it a HIPAA violation or just bad practice?

Situation	HIPAA Violation	Bad Practice
Nurse shares lab results with spouse	✓ Disclosure of PHI without authorization
Receptionist leaves desk unlocked with open patient chart	✓ Unprotected PHI exposure
Doctor speaks loudly in hallway about a patient		✓ Risky but not always reportable unless identity revealed
Staff member posts a patient’s photo on social media	✓ Unauthorized disclosure of PHI
Employee checks a neighbor’s medical record out of curiosity	✓ Unauthorized access to PHI
Billing clerk sends an invoice to the wrong address	✓ Improper disclosure of PHI
Nurse forgets to log out but no one else accessed the workstation		✓ Poor security habit, not automatically a violation
Physician denies patient access to their own medical record	✓ Direct violation of HIPAA Right of Access rule
Staff gossip about a patient’s condition without naming them		✓ Unprofessional but not a violation if identity isn’t tied
Old paper records stored in an unlocked closet accessible to visitors	✓ Inadequate safeguards under the Security Rule

Reporting beyond personal impact

You can file a HIPAA complaint even if the violation did not affect you directly. For example, overhearing another patient’s details or spotting improper document disposal is still valid to report.

Knowing these categories makes it easier to spot what qualifies. Next, let’s look at where to report HIPAA violations and which channel fits your situation best.

Where to report HIPAA violations?

Once you know you have witnessed a HIPAA violation, the next step is deciding where to report it. Different channels exist, and choosing the right one saves time and ensures effective action.

OCR: primary federal route

The Office for Civil Rights is the main enforcement body. File complaints through the online OCR portal, or send them by email, fax, or mail. Remember, mailed complaints require a signed consent form.

Internal reporting within organizations

If you are an employee, your first option is usually to report internally. Contact the Privacy Officer or use anonymous hotlines. Organizations must document these reports and often resolve smaller violations quickly.

State Attorneys General

Your state attorney general can also handle HIPAA violations, especially when state laws provide stronger protections. This route works well when state penalties or remedies add to federal enforcement options.

FTC under the Health Breach Notification Rule

For health apps and personal health record vendors, such as fitness apps that are not covered by HIPAA, you should report violations to the Federal Trade Commission. The FTC enforces rules that apply when sensitive health data is leaked or misused.

When and where should I report this?

Situation	Best Reporting Channel
Hospital mishandles patient records	OCR via the online complaint portal, or State Attorney General for added enforcement under HIPAA and state privacy laws
Employee observes co-worker gossip about patients	Internal Privacy Officer or compliance hotline for investigation before escalating externally
State-specific privacy law breach (beyond HIPAA)	State Attorney General to enforce both HIPAA and state privacy protections
Health app leaks fitness or wellness data	FTC under the Health Breach Notification Rule since apps and PHR vendors may fall outside HIPAA
Doctor refuses patient access to medical records	OCR for direct violation of HIPAA Right of Access Rule
Business associate loses encrypted laptop with PHI	OCR and possibly covered entity Privacy Officer since both share HIPAA compliance responsibility
Nursing home fails to notify residents of a breach	OCR for HIPAA breach notification violation, and State Attorney General if state laws also apply
Clinic ignores internal complaint about PHI misuse	OCR after documenting internal report, ensuring the case is reviewed by federal regulators
Employee suspects retaliation for reporting HIPAA violation	OCR whistleblower channel, since retaliation is prohibited under HIPAA enforcement rules
Pharmacy leaves prescription records accessible to the public	OCR or State Attorney General, depending on the scale and state oversight

With clear reporting channels outlined, the next step is understanding how to file HIPAA complaints anonymously and how investigators handle confidentiality requests.

How to report a HIPAA violation anonymously?

Sometimes you want to raise a concern without exposing yourself. HIPAA reporting allows for limited anonymity, but you should understand how investigators handle complaints when identity details are missing or withheld.

Filing with OCR while limiting consent

When you file with the Office for Civil Rights, you can deny consent for your identity to be shared with the organization. The investigation may continue, but limited disclosure can make fact-checking more difficult.

Using internal anonymous hotlines

Most covered entities provide compliance hotlines or suggestion boxes. These channels are built for anonymous reporting, and federal whistleblower policies protect you from retaliation when used in good faith.

Sending anonymous tips with supporting evidence

You may also submit an anonymous letter or email with details of the suspected violation. Clear evidence such as dates, locations, and redacted documents improves the chance that OCR takes meaningful action.

Pros and cons of anonymity

Factor	Anonymous Report	Identified Report
Personal protection	✓ Your identity remains private which lowers the risk of retaliation	Your identity is shared with investigators and may be disclosed to the covered entity
Investigation strength	Limited because investigators cannot ask you for more details	✓ Stronger because OCR can confirm facts, request clarification, and connect evidence directly to your account
Ability to follow up	Very limited since you will not receive updates without contact details	✓ Enables OCR to provide status updates and request additional documents
Risk of retaliation	Low because your name is withheld	Higher, but retaliation is illegal under HIPAA and can be reported as a separate violation
Use in internal reporting	Possible through anonymous hotlines or suggestion boxes, though resolution may take longer	✓ Direct reporting to the Privacy Officer or compliance team often results in quicker response
Evidence impact	Strong supporting documents help investigators act even without your name	✓ Easier to match documents, timelines, and testimony to the specific HIPAA complaint

Example script for an anonymous HIPAA tip

“My concern is that on [date] at [location], patient information was shared in public. Staff mentioned names and conditions. I cannot share my identity, but this violates HIPAA Privacy Rule.”

Anonymous reporting gives you an outlet, but it can limit outcomes. Next, let’s look at the strict HIPAA deadline so you don’t miss your chance to file effectively.

How long do you have to report a HIPAA violation?

Deadlines matter in HIPAA reporting. You must know exactly how long you have to report a HIPAA violation so your complaint is accepted and not dismissed for late submission.

The 180-day requirement

OCR requires that you file within 180 days of when you knew or should have known about the violation. Complaints filed later without justification are usually rejected at the intake stage.

When extensions are applied for good cause

Extensions may be allowed if you can show good cause. Examples include hospitalization, delayed discovery of the violation, or situations where internal reports delayed your ability to file with OCR.

Timeline illustration of the reporting period

Event	Date	Action Required
Violation occurs	Day 0	Awareness may not be immediate
You discover violation	Day 10	Reporting clock starts / OCR deadline
Complaint must be filed by this date	Day 190	Action required as per guidelines

Building your submission checklist

Prepare the entity name, violation description, dates, and supporting documents before you file. A date-stamped worksheet helps you track when you learned of the violation and keeps evidence in order.

Meeting the filing deadline ensures your complaint is considered. Next, we’ll move into the exact steps for preparing your HIPAA complaint so you can file with clarity and confidence.

How to file your HIPAA complaint correctly? Step-by-Step checklist

Filing a HIPAA complaint is a structured process. If you approach it step by step, you increase the chance of a fast review and a meaningful response from investigators.

Step 1: Gather facts before filing

Start by writing down who was involved, what happened, where it occurred, when it took place, and how the violation happened. Simple notes with dates and names make your complaint stronger.

Step 2: Identify the right entity

Confirm if you are reporting a covered entity, like a hospital, a health plan, or a business associate, such as a billing vendor. This identification helps investigators determine if HIPAA rules apply.

Step 3: Choose your filing channel

Select the channel based on your situation. Use the OCR portal for most cases, internal reporting for workplace issues, state attorneys general for local enforcement, or the FTC for health apps outside HIPAA.

Step 4: Complete the form with details

When filling out the form, include violation dates, a clear description of what occurred, and the potential impact. Keep sentences simple but precise so OCR staff understand the issue quickly.

Step 5: Attach evidence and track confirmation

Include supporting evidence such as emails, redacted documents, or photos of signage. Submit the complaint and save the confirmation number. Use a communications log to track future updates from OCR.

HIPAA Complaint Step

What to Do	Example
Gather facts	Record who, what, where, when, how
Doctor shared results in waiting room	Identify entity
Covered entity or business associate	Local clinic
Pick channel	OCR, internal, state, FTC
OCR portal	Submission channel

Next, let’s see what happens after you file.

What happens after you file a HIPAA Complaint?

Once you submit a HIPAA complaint, the process shifts into review and investigation. Understanding how OCR handles complaints helps you set realistic expectations about timing and outcomes.

Intake review for eligibility

OCR first checks jurisdiction and deadlines. Complaints are often rejected if they involve non-covered entities, are filed too late, or fail to describe actual HIPAA violations. Careful preparation reduces rejection risk.

Investigation steps taken

If accepted, OCR contacts the entity, collects records, and may interview staff. They may provide technical assistance or guidance during this phase if the violation appears minor or unintentional.

Possible resolutions available

Resolutions vary. Most cases end with voluntary compliance or a corrective action plan. Serious violations can lead to civil penalties, and intentional misuse of health data may be referred to the Department of Justice.

Timeline expectations for cases

Investigations can take months or longer, depending on complexity. Simple privacy complaints may close quickly, but systemic issues with multiple parties or repeated failures often extend the process significantly.

How to respond if OCR asks for more information?

If OCR requests clarification, respond promptly with clear details and supporting documents. Keeping your communications log updated helps you track these interactions and ensures you meet all follow-up requests.

Investigation Stage	What Happens	Your Best Response	Typical Outcome
Intake	OCR reviews whether your HIPAA complaint is filed within 180 days and if the entity is covered under HIPAA rules	Provide accurate dates, entity details, and clarify jurisdiction questions	Rejection if ineligible, or acceptance into investigation
Investigation	OCR gathers facts, interviews staff, and requests additional documents	Respond quickly with evidence, keep a communication log, and provide context for each item	Technical assistance, informal resolution, or continued investigation
Fact Verification	OCR checks the accuracy of timelines, supporting documents, and whether violations align with HIPAA standards	Submit redacted records, emails, or screenshots that confirm your claims	Stronger case credibility and faster resolution
Resolution	OCR determines whether the violation requires corrective action, penalties, or referral to DOJ	Confirm you have supplied all requested materials and address final clarifications	Corrective action plan, civil penalties, or DOJ referral for serious misconduct
Follow-up	OCR may return with additional requests after resolution begins	Keep records organized and provide supplemental details promptly	Case closed with documented compliance or enforcement action

Knowing these stages prepares you for the process. Now, you should know how whistleblower protections ensure you are safe from retaliation when reporting HIPAA violations.

Retaliation is illegal: Whistleblower Protection Measures

If you file a HIPAA complaint in good faith, the law protects you. Retaliation by your employer or the organization involved is strictly prohibited under HIPAA and several related federal and state laws.

What the law prohibits

Covered entities and business associates cannot threaten, demote, fire, or harass you for reporting HIPAA violations. Any act that punishes you for filing a complaint counts as unlawful retaliation.

How to document retaliation

Keep detailed records if you face retaliation. Write down dates, names, and descriptions of events. Save related emails, text messages, or memos, since these documents can be used as supporting evidence when reporting.

Reporting retaliation quickly

Report retaliation immediately to the Office for Civil Rights, just as you would a HIPAA violation. You can also file complaints with your state attorney general or through internal compliance channels.

Template: retaliation report email

“On [date], after I filed a HIPAA complaint, I was [describe retaliation, such as demoted or threatened]. This action violates HIPAA’s anti-retaliation rules. Please investigate and confirm next steps.”

Why protections matter

Knowing you are protected helps you act without fear. Reporting misconduct protects patient privacy and strengthens compliance culture.

Next, let’s review some special reporting situations that come up often.

Special situations to know about: Business Associates & more

Not all HIPAA complaints follow the same pattern. Certain cases involve business associates, workplace misconduct, non-HIPAA apps, or even self-reporting. Understanding these scenarios helps you decide the right reporting channel.

Business associates in violation

Vendors and contractors who handle protected health information are business associates. You may file complaints against them directly, or against the covered entity that hired them. Both share responsibility for HIPAA compliance.

Workplace-related violations

You might observe co-workers or supervisors accessing patient files without reason, or misusing role-based access privileges. These workplace HIPAA violations should first be reported internally, then escalated if the organization ignores the issue.

When health apps are involved

Fitness apps, mental health platforms, or personal health record vendors often fall outside HIPAA. In these cases, file a complaint with the Federal Trade Commission under the Health Breach Notification Rule.

State-specific reporting rules

Some states allow the attorney general to enforce HIPAA violations. Check your state attorney general’s website for instructions. Filing at the state level may provide added remedies or faster action alongside federal complaints.

Self-reporting for providers

If you are a provider who discovers your own HIPAA violation, self-reporting is critical. Document the incident, notify affected patients if required, and file with OCR. Corrective action reduces penalties and demonstrates accountability.

Special cases demand tailored responses, but the reporting steps remain clear. In the next section, we’ll cover useful tools and templates you can use to speed up filing and strengthen your complaint.

FAQs

What qualifies as a HIPAA violation?

A HIPAA violation happens any time a covered entity or business associate fails to protect protected health information (PHI).

Examples include medical staff discussing patient conditions in public, improper disposal of records, weak electronic safeguards, or denying patients access to their own medical files.

HIPAA violations can also include delayed breach notifications or sharing PHI without proper consent. These incidents fall under the HIPAA Privacy Rule, Security Rule, or Breach Notification Rule, and each can trigger HIPAA violation reporting requirements.

Who investigates HIPAA violations?

The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services is the primary body responsible for investigating HIPAA complaints.

OCR investigates whether a covered entity followed HIPAA compliance rules and determines corrective action or penalties. In serious cases, the Department of Justice may handle criminal violations, while state attorneys general enforce HIPAA at the local level.

Understanding who investigates HIPAA violations helps you know whether to file an OCR complaint, report to your state AG, or seek legal help from a HIPAA lawyer.

Where to report HIPAA violations if a health app leaked my data?

If your personal health information was leaked by a health app, fitness tracker, or personal health record (PHR) vendor, reporting directly to the Office for Civil Rights may not work because many apps are not HIPAA-covered entities. Instead, you should file a complaint with the Federal Trade Commission (FTC) under the Health Breach Notification Rule.

The FTC enforces compliance for non-HIPAA entities, while OCR handles HIPAA-covered providers, hospitals, and insurers. If you’re unsure whether your app is HIPAA compliant, consult a HIPAA lawyer or check the app’s privacy policy.

What happens when you file a HIPAA complaint?

When you file a HIPAA complaint with OCR, the process begins with a jurisdiction review. OCR checks whether the organization is a covered entity or business associate, whether the HIPAA complaint was filed within the 180-day deadline, and whether the described event violates HIPAA standards.

If your HIPAA violation complaint qualifies, OCR opens an investigation, contacts the organization, and requests documentation.

The organization may be required to provide evidence of HIPAA compliance, including security measures, policies, and training logs.

What happens after a HIPAA complaint is filed?

After a HIPAA complaint is filed, OCR may resolve the case through technical assistance, voluntary compliance, or a corrective action plan. If violations are confirmed, civil monetary penalties can be imposed, ranging from hundreds to millions of dollars depending on severity. Intentional misuse of PHI may be referred to the Department of Justice for criminal prosecution. Cases involving systemic HIPAA compliance failures, like repeated breaches or ignored HIPAA violation reporting requirements, can take years to resolve.

Can you sue for a HIPAA violation?

HIPAA itself does not allow you to file a direct lawsuit because it lacks a private right of action. However, you can still file a HIPAA complaint with OCR, and you may pursue lawsuits under state privacy laws, negligence statutes, or breach of contract claims.

Many people also consult a HIPAA violation attorney to explore civil remedies. In some states, courts allow damages for medical privacy breaches even if HIPAA does not provide that option directly.

Can I sue for a HIPAA violation in my state?

Whether you can sue for a HIPAA violation depends on your state’s laws. States like California and Texas allow lawsuits for mishandling sensitive health information through state medical privacy statutes.

Filing a HIPAA complaint with OCR is still required for federal enforcement, but you may combine that with a state-level civil lawsuit.

Your state attorney general can also bring actions for HIPAA violations, making state-specific HIPAA violation reporting an important step.

What to do if accused of a HIPAA violation at work?

If accused of a HIPAA violation, remain calm and document everything. Request written details of the allegation, including dates and events.

Cooperate with internal investigations by the Privacy Officer or compliance team. Keep copies of communications to protect yourself. If the accusation escalates, consider consulting a HIPAA violation lawyer for advice.

Many workplace HIPAA complaints are resolved internally, but proper documentation helps if the matter is escalated to OCR or a state agency.

HIPAA violation in the workplace: what are my rights?

If you are accused of a HIPAA violation in the workplace, you have the right to due process. Employers must follow their compliance procedures fairly. Retaliation such as termination, demotion, or harassment for filing or responding to a HIPAA complaint is illegal.

Under HIPAA whistleblower protections, you can also file a retaliation complaint with OCR. Employees often use internal HIPAA violation reporting hotlines to protect themselves, and state employment laws may provide additional rights.

Self-reporting HIPAA violations: Does it reduce penalties?

Yes. Self-reporting HIPAA violations to OCR or your state attorney general typically reduces penalties. Organizations that identify and disclose violations early, notify patients promptly, and adopt corrective action plans show good faith compliance.

OCR often issues technical assistance or corrective action plans instead of large fines for entities that self-report HIPAA breaches.

Providers and business associates are encouraged to log issues in HIPAA compliance reporting systems and address them before OCR finds gaps during investigations.

HIPAA violation reporting requirements for providers and business associates.

HIPAA requires covered entities (providers, health plans, clearinghouses) and business associates (vendors handling PHI) to follow strict HIPAA violation reporting requirements.

Breaches affecting more than 500 individuals must be reported to HHS and the media within 60 days. Breaches affecting fewer than 500 individuals must still be reported to HHS annually, and patients must always be notified.

Business associates must report breaches directly to the covered entity they serve, which then notifies OCR.

How to file a HIPAA complaint in California (state example)?

To file a HIPAA complaint in California, you can use the OCR complaint portal at ocrportal.hhs.gov or submit complaints to the California Attorney General’s office, which enforces California’s Confidentiality of Medical Information Act (CMIA).

California law often provides stronger protections than HIPAA, so filing both federally and at the state level is recommended. Many Californians also consult a HIPAA violation attorney near me to combine state and federal complaint strategies.

Who do you contact for a HIPAA violation when the clinic won’t respond?

If a clinic ignores your HIPAA complaint, escalate the matter to the Office for Civil Rights. File online through OCR’s portal or call the HIPAA violation reporting phone number at 1-800-368-1019.

You can also contact your state attorney general for additional enforcement.

Document your attempts to resolve the issue with the clinic, as OCR requires proof that you tried to resolve the complaint internally before escalation.

HIPAA breach reporting vs. HIPAA complaint: what’s the difference?

HIPAA breach reporting is mandatory for covered entities and business associates when PHI is exposed, whether by hacking, loss, or accidental disclosure.

It must be reported to patients, OCR, and sometimes the media. A HIPAA complaint, on the other hand, is filed by individuals who believe their HIPAA rights were violated.

One represents required compliance reporting, the other represents individual rights enforcement. Both processes improve HIPAA compliance and accountability.

Do HIPAA violations have to be reported if it was an honest mistake?

Yes. Even honest mistakes, like sending records to the wrong patient, must be reported as HIPAA violations.

HIPAA violation reporting requirements do not excuse accidental breaches. Organizations that self-report mistakes often face technical assistance or corrective actions instead of heavy fines.

Failure to report “minor” HIPAA violations can lead to harsher penalties later. Covered entities and business associates should log every incident in their HIPAA compliance systems and file required HIPAA reports.

Conclusion

Reporting a HIPAA violation is about protecting trust. You now know where to report, the 180-day timeline, and what happens after a complaint is filed.

Prevention is easier than damage control. Staying HIPAA compliant proves reliability to patients, partners, and regulators while lowering the risk of fines or investigations.

ComplyJet makes this simple. The platform automates evidence, organizes incidents, and prepares OCR-ready packets without extra effort.

Start your Free Trial of ComplyJet today and see how quickly you can get audit-ready.

Glossary

PHI and ePHI

Protected Health Information (PHI) is any health data tied to identity, like names, birth dates, or treatment details. Electronic PHI (ePHI) covers digital forms such as emails, cloud databases, and electronic prescriptions.

Covered entity

A covered entity includes healthcare providers, health plans, and clearinghouses. These organizations must comply with HIPAA Privacy, Security, and Breach Notification Rules, and they face penalties if HIPAA violations go unreported.

Business associate

A business associate is a vendor handling PHI for a covered entity, such as billing services, IT firms, or cloud storage providers. HIPAA violation reporting applies to them too under Business Associate Agreements (BAAs).

Breach

A HIPAA breach occurs when PHI is improperly accessed, disclosed, or stolen. Examples include ransomware attacks, misdirected faxes, or medical records left unsecured. Breach reporting timelines depend on how many people are affected.

OCR (Office for Civil Rights)

The HHS Office for Civil Rights (OCR) investigates HIPAA complaints, enforces penalties, and provides corrective guidance. OCR is the primary body where you file HIPAA complaints online, by mail, fax, or phone.

Minimum necessary

The minimum necessary rule requires staff to share or access only the PHI needed for a specific task. Anything beyond that, like sending a full chart instead of a test result, risks HIPAA violations.

NPP (Notice of Privacy Practices)

The Notice of Privacy Practices (NPP) outlines patient rights under HIPAA, how PHI may be used, and how to report HIPAA complaints. Providers must share it with patients and post it publicly.

Technical assistance

OCR often resolves smaller HIPAA complaints with technical assistance, meaning education and guidance instead of fines. It’s common when a violation occurs without malicious intent but still requires corrective action.

HIPAA complaint

A HIPAA complaint is the formal process of notifying OCR or state attorneys general about a suspected HIPAA violation. Complaints must be filed within 180 days of discovery unless a good-cause extension applies.

HIPAA violation reporting

HIPAA violation reporting involves patients, employees, or providers notifying OCR or internal officers when PHI is mishandled. Providers and business associates must self-report breaches under HIPAA’s reporting requirements.

HIPAA violation attorney

A HIPAA violation attorney advises patients or employees on legal remedies. While HIPAA itself has no private right of action, lawsuits can proceed under state privacy laws or negligence claims tied to HIPAA violations.

HIPAA hotline

The HIPAA hotline is OCR’s toll-free number (1-800-368-1019). Many hospitals and insurers also provide internal HIPAA hotlines for employees to report suspected HIPAA violations anonymously.

Breach notification

Breach notification is the formal process of alerting patients, OCR, and sometimes the media about a HIPAA breach. Large breaches of 500+ individuals must be reported within 60 days under HIPAA law.

HITECH Act

The HITECH Act (Health Information Technology for Economic and Clinical Health Act) expanded HIPAA rules, added breach reporting requirements, and gave state attorneys general authority to enforce HIPAA violations.

Designated record set

A designated record set is the group of records maintained by a provider or health plan, such as medical or billing records. Patients have the right to access these records under HIPAA.

Civil monetary penalties

Civil monetary penalties (CMPs) are fines OCR issues for HIPAA violations. Penalties range from $137 per violation up to $2 million per year, depending on negligence level and history of compliance failures.

Corrective action plan (CAP)

A corrective action plan is an agreement between OCR and a healthcare entity to fix compliance problems. It may include training, audits, and policy changes. CAPs are often issued instead of immediate fines.

Whistleblower protections

HIPAA protects whistleblowers who report violations in good faith. Employers cannot retaliate through threats, termination, demotion, or harassment. Employees experiencing retaliation can file additional HIPAA complaints with OCR.

Business Associate Agreement (BAA)

A Business Associate Agreement (BAA) is a legally required contract between covered entities and business associates. It outlines how PHI will be protected and what happens if HIPAA violations or breaches occur.