HIPAA Violations: How to Report One

A HIPAA violation happens when a healthcare provider, health plan, or their business associate mishandles your protected health information (PHI). You can report it — and serious or repeated violations can carry real penalties.

What counts as a HIPAA violation

• Sharing your medical information without authorization.
• Snooping in records by someone with no treatment reason to view them.
• Failing to safeguard records, leading to a breach or exposure.
• Denying you timely access to your own records.
• Lost or stolen unencrypted devices containing PHI.

How to report a HIPAA violation

1. Complain to the provider's or plan's Privacy Officer first, if you can.
2. File a complaint with the HHS Office for Civil Rights (OCR) — online, by mail, or by email — generally within 180 days of when you knew of the violation.
3. Include who, what, when, and any documentation.

What you can and can't get

HIPAA itself does not let individuals sue for money directly — enforcement is by OCR, which can require fixes and impose penalties. But the same conduct may support a separate claim under state privacy law or, after a breach, a data-breach class action.

Related: your rights overview · data-breach settlements · check your eligibility.