In January 2024, a medical receptionist in Texas discovered her supervisor was accessing patient records for personal reasons — looking up neighbors, family members, even local celebrities. She wanted to act but had no idea where to start. This scenario plays out more often than most realize. Knowing how to report a HIPAA violation is not just a right — it's a responsibility that protects patients and your organization.

Why Every Workforce Member Must Know How to Report a HIPAA Violation

OCR — the Office for Civil Rights within HHS — relies heavily on individual complaints to identify and investigate HIPAA violations. Between April 2003 and the end of 2023, OCR received over 350,000 HIPAA complaints. More than 98% of those came from individuals, not audits or internal reviews.

If your workforce doesn't understand the complaint process, violations go unreported. Unreported violations become patterns. Patterns become the kind of systemic failures that result in six- and seven-figure penalties. In my work with covered entities, I've seen organizations blindsided by OCR investigations that could have been prevented if a single employee had known where to file a concern.

Step 1: Document the Potential Violation

Before you report anything, gather the specifics. Write down what happened, when it happened, who was involved, and what protected health information (PHI) was potentially exposed or misused. Be factual, not speculative.

Key details to capture include:

  • The date, time, and location of the incident
  • The names or roles of individuals involved
  • The type of PHI accessed, disclosed, or compromised
  • Whether the access appeared intentional or accidental
  • Any witnesses or supporting evidence (emails, screenshots, access logs)

This documentation will be critical whether you report internally first or go directly to OCR.

Step 2: Report Internally Through Your Organization's Privacy Officer

Under the HIPAA Privacy Rule (45 CFR § 164.530), every covered entity and business associate must designate a privacy officer responsible for receiving and handling complaints. Your first step should almost always be to report the potential violation through this internal channel.

Most organizations have a compliance hotline, an incident reporting form, or a direct line to the privacy officer. If your organization hasn't made this process clear, that itself is a compliance gap — the Privacy Rule requires covered entities to provide a process for individuals to make complaints regarding privacy policies and procedures.

Healthcare organizations that invest in HIPAA training and certification for their workforce typically have well-defined internal reporting structures. Those that skip training rarely do.

Step 3: File a Complaint Directly with OCR

If internal reporting fails — or if you believe the violation is severe enough to warrant federal attention — you can report a HIPAA violation directly to the U.S. Department of Health and Human Services Office for Civil Rights.

Here's how:

  • Online: Use the OCR Complaint Portal at hhs.gov/hipaa/filing-a-complaint
  • Mail: Send a written complaint to the regional OCR office covering your state
  • Email or Fax: OCR regional offices accept complaints in multiple formats

Your complaint must be filed within 180 days of when you became aware of the violation, though OCR can grant extensions for good cause. The complaint must name the covered entity or business associate involved and describe the acts or omissions you believe violated HIPAA.

OCR does not require you to have filed an internal complaint first, but having done so strengthens your report and shows the organization had an opportunity to address the issue.

Whistleblower Protections You Should Know About

Fear of retaliation is the number one reason HIPAA violations go unreported. The HIPAA Privacy Rule at 45 CFR § 164.530(g) explicitly prohibits covered entities from retaliating against any individual who files a HIPAA complaint, participates in an investigation, or opposes any act they reasonably believe violates the Privacy Rule.

This means your employer cannot fire you, demote you, threaten you, or take any adverse action because you chose to report a HIPAA violation. If they do, that retaliation itself becomes a separate violation subject to OCR enforcement.

Additional protections may exist under your state's whistleblower laws, which can provide further legal remedies.

What Happens After You Report a HIPAA Violation to OCR

OCR reviews every complaint to determine if it falls within their jurisdiction. If it does, the investigation typically follows this path:

  • Intake and Review: OCR determines whether the complaint describes a potential HIPAA violation by a covered entity or business associate
  • Investigation: OCR contacts the organization, requests documentation, and may conduct on-site reviews
  • Resolution: Outcomes range from technical assistance and voluntary compliance to resolution agreements and civil monetary penalties

In fiscal year 2023, OCR resolved over 32,000 cases. The majority resulted in corrective action through technical assistance or voluntary compliance. However, OCR levied multiple penalties exceeding $1 million that year, including settlements tied to failures in risk analysis, unauthorized PHI disclosures, and inadequate access controls.

The Role of the Minimum Necessary Standard in Violation Reports

Many reportable violations involve breaches of the minimum necessary standard — the HIPAA principle that workforce members should access only the PHI needed to perform their job functions. When an employee pulls up records they have no treatment, payment, or operations reason to view, that's a violation worth reporting.

Covered entities must have policies and procedures that limit PHI access based on role. If your organization hasn't implemented role-based access controls, complaints related to the minimum necessary standard will reveal that gap quickly during an OCR investigation.

Don't Wait for a Breach to Build a Reporting Culture

The organizations that handle HIPAA complaints well are the ones that prepared before a complaint ever arrived. That means training every workforce member — not just clinicians but administrative staff, IT teams, and contractors — on how to recognize and report potential violations.

A comprehensive HIPAA workforce compliance program doesn't just check a regulatory box. It builds the kind of culture where employees feel empowered to raise concerns, where privacy officers respond to complaints effectively, and where small issues are resolved before they escalate into OCR investigations.

If someone in your organization witnesses a HIPAA violation today, do they know exactly what to do? If the answer is anything less than an immediate yes, your training program needs attention — now, not after the complaint is filed.