How to make HIPAA Complaints within a Covered Entity

What are the Responsibilities of a HIPAA Compliance Officer?

Who should be informed within the covered entity when you want to make a HIPAA complaint? Any healthcare employee who thinks a HIPAA violation has occurred should report the incident internally.

In the course of your HIPAA training, you should have been told you who you need to talk to when you want to report a HIPAA complaint and you should have been told about the procedures for doing so. In most cases, the HIPAA violation must be reported to the individual in your company who is in charge of HIPAA compliance, normally your Privacy Officer. You might feel more at ease reporting the episode to your supervisor.

All HIPAA violations, even relatively minor ones, should be reported. They might be a sign of a bigger problem, therefore it is essential they are looked into internally. Accidental HIPAA violations must also be reported. It is advisable to admit a relatively small HIPAA violation rather than for the incident to be reported by a colleague or for it to be identified during an internal audit, or even worse, by government regulators.

A covered entity should assess potential HIPAA violations and make a decision whether HIPAA Rules were violated, and determine whether the incident needs to be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) as per the HIPAA Breach Notification Rule requirements.  Not every breach is reportable. In order to determine if a breach is reportable,  a risk analysis should be carried out.

The HIPAA Breach Notification Rule calls for covered entities and business associates to submit reports of HIPAA violations to OCR. All breaches affecting over 500 people should be reported as soon as possible, and not later than 60 days after the discovery of the incident. Smaller breaches affecting less than 500 people can be reported yearly, but not later than 60 days following the end of the year in which the incident was discovered. Nevertheless, breach notices should be sent to impacted patients within 60 days, irrespective of the number of people that the breach impacted.

Although all HIPAA violations ought to be reported in house, a complaint could be submitted to OCR. However, OCR doesn’t conduct an investigation into anonymous complaints.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: