Universal

Ready to Edit

HIPAA Privacy Complaint to HHS Office for Civil Rights - Free Editor

HIPAA Privacy Complaint to HHS Office for Civil Rights

Instructions for Use

This template is designed for filing a complaint with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) regarding violations of the Health Insurance Portability and Accountability Act (HIPAA). OCR enforces the Privacy Rule, Security Rule, and Breach Notification Rule.

Filing Options:
- Online Portal (Preferred): https://ocrportal.hhs.gov/
- Mail/Fax: Send to appropriate OCR regional office
- Email: Submission by email represents your signature

Important Deadlines:
- File within 180 calendar days of when you knew or should have known of the violation
- Extensions may be granted for "good cause"

Section 1: Complainant Information

Your Information (Person Filing Complaint)

Field	Information
Full Legal Name	______________________________________________
Street Address	______________________________________________
City, State, ZIP	______________________________________________
Telephone Number	______________________________________________
Email Address	______________________________________________
Preferred Contact Method	☐ Phone ☐ Email ☐ Mail

Are you filing on behalf of someone else? ☐ Yes ☐ No

If yes, complete the following:

Field	Information
Affected Person's Name	______________________________________________
Relationship to Complainant	______________________________________________
Written Authorization Attached	☐ Yes ☐ No

Section 2: Covered Entity Information

Identity of Entity That Violated HIPAA

Field	Information
Name of Organization	______________________________________________
Type of Entity	☐ Healthcare Provider ☐ Health Plan ☐ Healthcare Clearinghouse ☐ Business Associate
Street Address	______________________________________________
City, State, ZIP	______________________________________________
Telephone Number	______________________________________________
Website (if known)	______________________________________________

Contact Person at Entity (if known):

Field	Information
Name	______________________________________________
Title/Position	______________________________________________
Direct Phone/Email	______________________________________________

Section 3: Description of Violation

Type of Violation (Check all that apply)

Privacy Rule Violations:
☐ Unauthorized disclosure of Protected Health Information (PHI)
☐ Failure to provide access to medical records within 30 days
☐ Failure to provide accounting of disclosures
☐ Improper use of PHI for marketing without authorization
☐ Failure to honor valid authorization request
☐ Sale of PHI without authorization
☐ Failure to provide Notice of Privacy Practices
☐ Other Privacy Rule violation: __________________________________________

Security Rule Violations:
☐ Failure to implement adequate safeguards for electronic PHI
☐ Lost or stolen device containing unencrypted PHI
☐ Unauthorized access to electronic health records
☐ Failure to conduct risk analysis
☐ Inadequate access controls
☐ Other Security Rule violation: __________________________________________

Breach Notification Violations:
☐ Failure to notify individual of breach
☐ Failure to notify HHS of breach
☐ Failure to notify media of large breach (500+ individuals)
☐ Untimely breach notification

Detailed Description of Violation

Date(s) of Violation: __________________________________________

Location Where Violation Occurred: __________________________________________

Describe what happened (include who, what, when, where, and how):

_______________________________________________________________________________

How did you discover the violation?

_______________________________________________________________________________

What Protected Health Information was involved?

☐ Name
☐ Date of birth
☐ Social Security Number
☐ Medical record number
☐ Diagnosis/treatment information
☐ Insurance information
☐ Financial/billing information
☐ Contact information
☐ Photographs/images
☐ Other: __________________________________________

To whom was the PHI improperly disclosed (if known)?

_______________________________________________________________________________

Section 4: Actions Already Taken

Have you attempted to resolve this matter with the covered entity? ☐ Yes ☐ No

If yes, describe your efforts and the response:

_______________________________________________________________________________

Date of Contact	Method	Person Contacted	Response Received
______________	_______	________________	_________________
______________	_______	________________	_________________

Have you filed a complaint with any other agency? ☐ Yes ☐ No

If yes, identify:

Agency Name	Date Filed	Case/Reference Number
___________	__________	_____________________
___________	__________	_____________________

Section 5: Supporting Documentation

Documents Attached (Check all that apply):

☐ Written communication with covered entity
☐ Copy of authorization form (if applicable)
☐ Notice of Privacy Practices from entity
☐ Breach notification letter received
☐ Medical records showing violation
☐ Screenshots or electronic evidence
☐ Witness statements
☐ Correspondence regarding records request
☐ Explanation of Benefits (EOB)
☐ Other: __________________________________________

Section 6: Impact Statement

Describe how this violation has affected you:

☐ Identity theft or fraud
☐ Financial harm (specify): __________________________________________
☐ Emotional distress
☐ Damage to reputation
☐ Employment consequences
☐ Relationship/family impact
☐ Denial of services
☐ Other harm: __________________________________________

Detailed description of harm suffered:

_______________________________________________________________________________

Section 7: Requested Action

What outcome are you seeking? (Check all that apply)

☐ Investigation of the covered entity
☐ Corrective action to prevent future violations
☐ Civil monetary penalties against the entity
☐ Requirement that entity provide access to records
☐ Technical assistance to covered entity regarding compliance
☐ Other: __________________________________________

Section 8: Certification and Signature

Certification Statement

I certify that the information provided in this complaint is true and accurate to the best of my knowledge. I understand that:

OCR will not act as my attorney or provide legal advice
Filing a false complaint may subject me to criminal penalties
The covered entity cannot retaliate against me for filing this complaint
OCR may share complaint information with the covered entity during investigation

☐ I consent to OCR disclosing my name to the covered entity during the investigation

☐ I request that OCR keep my identity confidential to the extent permitted by law

Signature: ______________________________________________

Date: ______________________________________________

Important Information

What OCR Can Investigate

OCR enforces HIPAA against:
- Healthcare Providers who transmit health information electronically
- Health Plans (insurance companies, HMOs, employer health plans)
- Healthcare Clearinghouses
- Business Associates of the above entities

What OCR Cannot Investigate

Violations that occurred before April 14, 2003 (Privacy Rule) or April 20, 2005 (Security Rule)
Entities not covered by HIPAA (employers, schools, life insurers, law enforcement)
State law violations (contact state attorney general)

Timeline Expectations

OCR will acknowledge receipt of your complaint
Investigation timeframes vary based on complexity
OCR may resolve through informal means or formal investigation
You will be notified of the outcome

Protection Against Retaliation

Under 45 CFR 160.316, covered entities and business associates are prohibited from intimidating, threatening, coercing, discriminating against, or taking any retaliatory action against any individual who:
- Files a complaint with HHS
- Testifies, assists, or participates in an investigation
- Opposes any act or practice that violates HIPAA

If you experience retaliation, notify OCR immediately.

OCR Regional Office Directory

Region	States Covered	Contact
Region I	CT, MA, ME, NH, RI, VT	Boston
Region II	NJ, NY, PR, VI	New York
Region III	DC, DE, MD, PA, VA, WV	Philadelphia
Region IV	AL, FL, GA, KY, MS, NC, SC, TN	Atlanta
Region V	IL, IN, MI, MN, OH, WI	Chicago
Region VI	AR, LA, NM, OK, TX	Dallas
Region VII	IA, KS, MO, NE	Kansas City
Region VIII	CO, MT, ND, SD, UT, WY	Denver
Region IX	AZ, CA, HI, NV, Pacific Islands	San Francisco
Region X	AK, ID, OR, WA	Seattle

Resources

HHS OCR Portal: https://ocrportal.hhs.gov/
HIPAA Information: https://www.hhs.gov/hipaa/
OCR Complaint Portal: https://www.hhs.gov/hipaa/filing-a-complaint/
HIPAA Privacy Rule: 45 CFR 164.500-534
HIPAA Security Rule: 45 CFR 164.302-318

This template is provided for informational purposes only and does not constitute legal advice. Consult with a healthcare attorney for specific legal guidance.

AI Legal Assistant

$49 one-time

Need AI help with this document?

Get 3 days of AI-powered editing. Customize every section for your case.

Do more with Ezel

This free template is just the beginning. See how Ezel helps legal teams draft, research, and collaborate faster.

AI Document Editor

AI that drafts while you watch

Tell the AI what you need and watch your document transform in real-time. No more copy-pasting between tools or manually formatting changes.

Natural language commands: "Add a force majeure clause"
Context-aware suggestions based on document type
Real-time streaming shows edits as they happen
Milestone tracking and version comparison

Learn more about the Editor

AI Chat Workspace

Research and draft in one conversation

Ask questions, attach documents, and get answers grounded in case law. Link chats to matters so the AI remembers your context.

Pull statutes, case law, and secondary sources
Attach and analyze contracts mid-conversation
Link chats to matters for automatic context
Your data never trains AI models

Learn more about AI Chat

Case Law Search

Search like you think

Describe your legal question in plain English. Filter by jurisdiction, date, and court level. Read full opinions without leaving Ezel.

All 50 states plus federal courts
Natural language queries - no boolean syntax
Citation analysis and network exploration
Copy quotes with automatic citation generation

Learn more about Case Law Search

Ready to transform your legal workflow?

Join legal teams using Ezel to draft documents, research case law, and organize matters - all in one workspace.

Customize with AI — $49 Request a Demo

HIPAA Privacy Complaint to HHS Office for Civil Rights

Instructions for Use

Section 1: Complainant Information

Section 2: Covered Entity Information