HIPAA Complaint Process for Covered Entities: Step-by-Step Guide with Examples

Filing a Complaint with a Covered Entity

If you believe your protected health information (PHI) was mishandled, start by submitting a complaint to the covered entity (health plan, provider, or clearinghouse). This local route often resolves issues faster and can prevent broader compliance exposure.

How to file with a covered entity

• Identify the designated contact, usually the Privacy Officer or HIPAA Compliance Officer.
• Submit your complaint in writing. Include dates, people involved, a clear description of what happened, and what outcome you seek.
• Attach supporting evidence (screenshots, letters, visit summaries), but redact unrelated identifiers.
• Request written acknowledgment and a response timeline.

What to include

• Your name and contact information.
• The entity’s name and location.
• Specific facts: who, what, where, when, and how the incident affected you.
• Whether you consent to sharing your identity with involved staff during the investigation.

Example

You discover your visit summary was mailed to the wrong address. You send a dated letter to the Privacy Officer explaining the misdirected mailing, including the clinic location and service date, and request an explanation of safeguards and any corrective steps.

Privacy Officer Responsibilities

• Log and acknowledge complaints promptly.
• Assess whether the issue implicates Privacy, Security, or Breach Notification standards.
• Coordinate fact-finding, contain risks, and implement interim safeguards if needed.
• Communicate findings and any corrective measures to the complainant.

If you are not satisfied—or prefer to go directly to regulators—you may file with the Office for Civil Rights (OCR) as described below.

Filing a Complaint with the Office for Civil Rights

OCR enforces HIPAA’s Privacy, Security, and Breach Notification Rules. You can file with OCR whether or not you first complained to the covered entity.

Using the OCR Complaint Portal

• Submit online through the OCR Complaint Portal, or file by mail or email if preferred.
• Provide your contact details, the entity’s information, dates, a narrative of what happened, and any documentation.
• State whether you authorize OCR to reveal your identity to the entity during the investigation.

Timeline to file

You generally have 180 days from when you knew or should have known of the violation to file with OCR. OCR may extend this for good cause.

Example

A hospital employee accessed a chart without care-related need. You submit an OCR complaint describing the unauthorized access, the dates involved, how you learned of it, and why you believe it violated HIPAA.

Filing a Complaint with the Centers for Medicare & Medicaid Services

CMS handles HIPAA Administrative Simplification matters, not privacy or security breaches. Use this channel for standards governing electronic transactions, code sets, unique identifiers, and operating rules.

HIPAA Administrative Simplification Enforcement

• File when a trading partner (e.g., payer or billing vendor) refuses standard electronic transactions or uses noncompliant code sets or identifiers.
• Submit details about the transaction type (e.g., claims, remittance), dates, error messages, and impacted trading relationships.
• Include samples (de-identified when possible) and describe business impacts (delays, denials, rework).

Example

Your clearinghouse reports that a health plan rejects compliant 835 remittance files unless a nonstandard segment is added. You file with CMS explaining the noncompliance, attach de-identified transaction reports, and request enforcement.

Investigation Process by OCR

After intake, OCR verifies jurisdiction and whether the complaint alleges a potential violation. If accepted, OCR notifies the entity and requests records and explanations.

Typical steps

• Triage and jurisdiction check; request for information to the entity.
• Review of policies, workforce training, risk analyses, access logs, and incident assessments.
• Interviews, data sampling, and (if needed) on-site visits.
• Evaluation of harm, scope, and the entity’s mitigation and corrective measures.

Possible outcomes

• No violation or insufficient evidence; matter closed with or without technical assistance.
• Voluntary compliance and remediation documented to OCR.
• Corrective Action Plan (CAP) with reporting and monitoring.
• Referral for potential penalties if noncompliance is substantiated, especially for willful neglect.

Enforcement Actions by OCR

When OCR finds noncompliance, it selects remedies proportional to risk and culpability, prioritizing prevention and sustained compliance.

Range of actions

• Technical assistance and informal resolution for isolated or low-risk issues.
• Resolution agreements that require specific Compliance Corrective Action and leadership oversight.
• Corrective Action Plans with deadlines, attestations, and independent monitoring.
• Civil Money Penalties (CMPs) when warranted, considering the violation category, duration, harm, and entity size.

What entities should expect

• Written findings outlining violations and required remediation.
• Documentation and progress reports demonstrating sustained compliance.
• Potential public announcement of settlements, emphasizing transparency and deterrence.

Internal Complaint Handling by Covered Entities

A clear, documented process protects patients, reduces risk, and demonstrates accountability. Use the steps below to build a consistent response framework.

Intake and triage

• Provide easy intake channels (portal, email, hotline, mail).
• Log the complaint upon receipt and send a prompt acknowledgment with next steps.
• Classify: privacy, security, breach notification, or Administrative Simplification (for CMS referral if needed).

Fact-finding and risk assessment

• Secure evidence, preserve logs, and interview involved staff.
• Evaluate the nature and extent of PHI, unauthorized recipients, and likelihood of misuse.
• Determine if breach notification obligations are triggered and act within required timelines.

Compliance Corrective Action

• Implement immediate containment (access termination, misdirected mail retrieval, minimum necessary adjustments).
• Address root causes: policy gaps, workflow design, system controls, or training deficits.
• Apply workforce sanctions where appropriate and document retraining.

Complaint Documentation Retention

• Maintain the complaint, investigation notes, decisions, notifications, and CAP evidence.
• Retain documentation for at least six years from creation or last effective date, consistent with HIPAA documentation requirements.

Communication and closure

• Provide the complainant with a clear outcome summary and any mitigation offered.
• Record lessons learned and update risk management and audit plans.

Retaliation Prohibited

Covered entities and business associates may not retaliate against an individual for filing a HIPAA complaint, participating in an investigation, or opposing practices they reasonably believe violate HIPAA.

Retaliation Protections under HIPAA

• Prohibited actions include termination, demotion, intimidation, denial of services, or adverse billing changes tied to a complaint.
• Train supervisors to route concerns to compliance—not to discipline complainants.
• Document anti-retaliation policies and communicate them to patients and workforce members.

What to do if retaliation is suspected

• Report internally to compliance or HR and request corrective review.
• Escalate to OCR if retaliation persists or internal remedies are unavailable.

Conclusion

Understanding the HIPAA complaint process for covered entities helps you choose the right forum, provide strong documentation, and secure timely remedies. Start locally when appropriate, use OCR for privacy and security issues, and CMS for Administrative Simplification concerns. Maintain thorough records, implement corrective actions, and never retaliate against complainants.

FAQs

How do I file a complaint with a HIPAA covered entity?

Send a written complaint to the entity’s Privacy Officer describing what happened, when, who was involved, and how it affected you. Request acknowledgment, include relevant evidence, and ask for a target response date. If unresolved, you can also submit the matter to OCR.

What is the timeline for filing a HIPAA complaint with OCR?

You generally must file within 180 days of when you knew or should have known of the potential violation. OCR may allow more time if you show good cause for delay.

What actions does OCR take after investigating a complaint?

Outcomes range from technical assistance and voluntary compliance to formal Resolution Agreements with Corrective Action Plans and, when warranted, Civil Money Penalties. OCR may monitor compliance until corrective steps are complete.

How are covered entities required to handle HIPAA complaints internally?

Entities must provide a process for receiving complaints, investigate promptly, mitigate risks, implement Compliance Corrective Action, communicate outcomes, and retain complaint documentation for at least six years. They must also prohibit retaliation against complainants.