In 2023, a nurse at a mid-sized hospital noticed a coworker accessing patient records for a family member — a clear Privacy Rule violation under 45 CFR §164.502. She wanted to report it but didn't know where to start. Should she tell her supervisor? Call a hotline? File a federal complaint? This confusion is far more common than it should be, and it's exactly why every workforce member needs to know who do you report a HIPAA violation to before a violation ever occurs.
Who Do You Report a HIPAA Violation To Inside Your Organization
The first step in nearly every HIPAA violation scenario is internal reporting. Under the Privacy Rule, every covered entity must designate a Privacy Officer (45 CFR §164.530(a)(1)) responsible for receiving and investigating complaints about the organization's privacy practices.
If you witness or suspect a HIPAA violation — unauthorized access to protected health information (PHI), improper disclosures, missing safeguards — your initial report should go to your organization's Privacy Officer or Compliance Officer. Many healthcare organizations also maintain anonymous compliance hotlines or incident reporting systems.
Internal reporting matters because it gives your covered entity the opportunity to investigate, mitigate harm, and self-correct before the issue escalates. OCR has historically shown more favorable treatment toward organizations that identify and address violations proactively rather than waiting for a federal investigation.
What Your Privacy Officer Should Do Next
Once a report is received internally, your Privacy Officer should document the complaint, conduct a thorough investigation, and determine whether a breach of unsecured PHI has occurred. If it has, the Breach Notification Rule (45 CFR §§164.400-414) triggers specific notification obligations — to affected individuals, HHS, and in some cases, the media.
Organizations that lack a clear internal reporting workflow are the ones that end up in OCR enforcement actions. If your team doesn't know the chain of reporting, it's time to invest in comprehensive HIPAA training and certification that covers incident response procedures.
Filing a Complaint Directly with OCR
If internal reporting doesn't resolve the issue — or if you believe your organization itself is the problem — the next step is the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). OCR is the federal agency responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules.
Anyone can file a HIPAA complaint with OCR. You don't have to be the patient whose PHI was compromised. Workforce members, patients, family members, and even members of the public can submit complaints. Here's what you need to know:
- Deadline: Complaints must be filed within 180 days of when you knew (or should have known) the violation occurred. OCR may extend this deadline in certain circumstances.
- How to file: Complaints can be submitted online through the OCR Complaint Portal, by mail, or by email. The portal is available at hhs.gov/ocr.
- What to include: The name of the entity you're filing against, a description of the violation, the date(s) it occurred, and your contact information.
- Retaliation protection: Under 45 CFR §164.530(g), covered entities are prohibited from retaliating against anyone who files a HIPAA complaint.
OCR investigates every complaint it receives. Between April 2003 and the end of 2023, OCR received over 350,000 HIPAA complaints, resulting in enforcement actions that have generated more than $142 million in settlements and civil money penalties.
State Attorneys General: Another Enforcement Channel
Many people asking who do you report a HIPAA violation to overlook state-level enforcement. Under the HITECH Act, state attorneys general have independent authority to bring civil actions for HIPAA violations on behalf of state residents.
Several states have pursued HIPAA-related enforcement aggressively. If you believe a HIPAA violation has harmed residents of your state, filing a complaint with your state attorney general's office is a legitimate and sometimes faster path to accountability. Some states also have their own health information privacy laws that impose additional requirements beyond HIPAA.
When to Report to Law Enforcement
Certain HIPAA violations involve criminal conduct — knowingly obtaining or disclosing PHI, obtaining PHI under false pretenses, or using PHI for commercial advantage or malicious harm. Criminal violations of HIPAA (42 U.S.C. §1320d-6) are investigated by the Department of Justice (DOJ), not OCR.
Penalties for criminal HIPAA violations range from fines up to $50,000 and one year in prison for basic offenses, to $250,000 and up to ten years in prison for violations committed with intent to sell or use PHI for commercial advantage or malicious harm.
If you suspect criminal misuse of PHI, report it to both OCR and your local FBI field office or DOJ.
Business Associates Have Reporting Obligations Too
Since the Omnibus Rule of 2013, business associates are directly liable for HIPAA compliance. If a business associate discovers a breach of PHI, it must notify the covered entity without unreasonable delay and no later than 60 days after discovery (45 CFR §164.410).
Business associates cannot simply stay silent and hope the covered entity doesn't notice. Failure to report a known breach is itself a HIPAA violation — and one that OCR has penalized in multiple enforcement actions. If your organization works with business associates, make sure your Business Associate Agreements (BAAs) clearly define breach reporting timelines and responsibilities.
The Workforce Training Gap That Creates Reporting Failures
Healthcare organizations consistently struggle with one problem: their workforce doesn't know the reporting process. OCR's enforcement record shows that many HIPAA violations go unreported internally for weeks or months — not because employees don't care, but because they were never trained on what to do.
The HIPAA Privacy Rule at 45 CFR §164.530(b) requires covered entities to train all workforce members on policies and procedures related to PHI. This includes training on how to recognize a potential violation and exactly who do you report a HIPAA violation to within the organization.
Generic annual training that covers only the basics of what PHI is won't cut it. Your workforce needs scenario-based training that walks through real reporting situations. HIPAA Certify's workforce compliance program is designed to close exactly this gap — giving every team member clarity on their role in the reporting chain.
A Step-by-Step Reporting Framework
Based on my work with covered entities of all sizes, here's the reporting framework I recommend:
- Step 1: Report the suspected violation to your organization's Privacy Officer or Compliance Officer immediately.
- Step 2: Document what you observed — dates, individuals involved, the PHI at risk, and any evidence.
- Step 3: If your organization fails to act, or if the organization itself is the violator, file a complaint with OCR within 180 days.
- Step 4: For violations that also breach state law, contact your state attorney general's office.
- Step 5: For criminal misuse of PHI, report to the DOJ or FBI.
Every covered entity should have this framework documented, distributed, and reinforced through regular HIPAA training and certification programs.
Don't Wait for OCR to Come Knocking
Knowing who do you report a HIPAA violation to isn't just an academic exercise — it's an operational requirement that protects patients, your workforce, and your organization's financial future. OCR imposed over $4 million in penalties in a single 2022 enforcement action against a health system that failed to have adequate reporting and investigation processes.
Build your reporting infrastructure now. Train your workforce regularly. And make sure every person in your organization — from front desk staff to the C-suite — knows exactly what to do when they see something wrong. The minimum necessary standard applies to PHI access, but there's no minimum when it comes to vigilance about compliance.