HIPAA Covered Entity Complaint Process: Requirements, Timelines, and Best Practices

The HIPAA Covered Entity complaint process helps you address privacy and security concerns about protected health information (PHI) in a consistent, compliant way. This guide explains the requirements under the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule, outlines complaint resolution timelines, and shares best practices to reduce risk and strengthen trust.

Complaint Filing Requirements

Individuals, personal representatives, workforce members, and business associates may raise concerns about how a covered entity handles PHI. You must maintain a clear, accessible path for complaints and explain it in your Notice of Privacy Practices.

Where a complaint may be filed

• With the covered entity: Directly to your designated Privacy Officer or the contact person named in your Notice of Privacy Practices.
• With the U.S. Department of Health and Human Services Office for Civil Rights (OCR): Individuals can submit a complaint to the regulator if they believe HIPAA was violated.

What information should be included

• Complainant’s name and contact information (anonymous complaints may limit follow-up).
• Name of the covered entity or business associate involved.
• Dates and a concise description of the incident or practice at issue.
• Any known PHI elements involved and where/how the issue was discovered.
• Supporting materials (screenshots, messages, logs) that aid investigation.

Timeline to file with the regulator

Individuals generally have 180 days from when they knew of the alleged violation to file with OCR. OCR may extend this filing deadline for good cause. Internally, establish clear complaint resolution timelines so individuals know when to expect updates and outcomes.

Format and accessibility

Provide multiple intake options (secure web form, email, mail, and phone relay options) and reasonable accommodations. Make forms available in common languages and accessible formats. Accept complaints in writing or electronically; document any verbal complaints you receive.

Complaint Process Overview

A disciplined workflow promotes fair outcomes, faster resolution, and defensible records. The steps below balance thoroughness with timely action.

Intake and triage

• Acknowledge receipt promptly (best practice: within 3–5 business days) and explain next steps.
• Assess urgency and potential risk to PHI; take immediate steps to stop ongoing inappropriate uses or disclosures.
• Preserve evidence (system logs, emails, messages) consistent with Security Rule incident procedures.

Investigation and fact-finding

• Interview involved parties and review relevant records, policies, and access logs.
• Coordinate with the Security Officer for ePHI issues, including suspected security incidents.
• Analyze against policy and legal requirements (minimum necessary, access controls, safeguards).

Determination and remediation

• Classify findings (substantiated, unsubstantiated, or inconclusive) and document the rationale.
• Implement mitigation measures (e.g., retrieve misdirected PHI, correct permissions, enhance safeguards).
• Apply appropriate workforce sanctions when policies or HIPAA requirements were violated.

Closeout, communication, and Complaint Documentation

• Issue a written outcome to the complainant without disclosing confidential personnel actions.
• Record the complaint, investigation steps, evidence reviewed, determinations, mitigation, and final disposition.
• Retain complaint documentation and related policies for at least six years.

When a complaint triggers breach analysis

If facts suggest an impermissible use or disclosure of unsecured PHI, conduct the Breach Notification Rule’s four-factor risk assessment, determine if notification is required, and, if so, notify affected individuals without unreasonable delay and no later than 60 days after discovery.

Complaint Resolution Timelines (program targets)

• Acknowledge receipt: 3–5 business days.
• Begin investigation: within 5 business days of intake.
• Target resolution: within 30 calendar days; if complex, extend with written status updates and a new target date (not to exceed 60 days absent good cause).
• Regulatory deadlines still apply (e.g., breach notifications within 60 days of discovery).

Covered Entity's Obligations

HIPAA sets baseline duties that frame how you receive, evaluate, and resolve complaints—and how you prevent recurrence.

Privacy Rule requirements

• Designate a Privacy Officer and a contact person to receive complaints.
• Maintain written policies and procedures for complaint handling and workforce sanctions.
• Provide a Notice of Privacy Practices describing how to submit complaints and stating non-retaliation.
• Mitigate harmful effects of violations and apply minimum necessary standards.

Security Rule requirements

• Assign a Security Officer and implement administrative, physical, and technical safeguards for ePHI.
• Maintain security incident procedures, including response, reporting, and documentation.
• Conduct risk analysis and risk management, updating controls when investigations reveal gaps.

Breach Notification Rule obligations

• Perform a risk assessment when an impermissible use or disclosure of unsecured PHI is suspected.
• Notify affected individuals, and when required, HHS and the media, within prescribed timeframes (no later than 60 days after discovery for individual notices).
• Ensure business associates notify you of breaches without unreasonable delay and provide necessary details.

Complaint Documentation and retention

• Document every complaint and its disposition; preserve investigative records, communications, and remediation steps.
• Retain documentation for at least six years from creation or last effective date, whichever is later.

Civil Monetary Penalties and Corrective Action Plans

OCR may resolve investigations with technical assistance, voluntary compliance, corrective action plans, or civil monetary penalties depending on severity, culpability, and harm. Strong documentation, timely mitigation, and sustainable fixes reduce enforcement risk.

Retaliation Prohibition

HIPAA prohibits intimidation, coercion, threats, discrimination, or retaliation against anyone who files a complaint, assists in an investigation, or otherwise exercises HIPAA rights. You also may not require individuals to waive their privacy rights as a condition of treatment, payment, or enrollment.

Protected activities

• Filing a complaint with the covered entity or OCR.
• Testifying, assisting, or participating in an investigation or proceeding.
• Opposing practices reasonably believed to violate HIPAA, if done lawfully.

Examples of prohibited retaliation

• Refusing care, changing coverage terms, or delaying services because a complaint was filed.
• Demoting, disciplining, or firing employees who report concerns in good faith.
• Threatening to report an immigrant’s status or otherwise intimidate a complainant.

Practical safeguards

• Route all post-complaint communications through the Privacy Office to reduce bias and protect confidentiality.
• Train supervisors and staff annually on non-retaliation and escalation protocols.
• Track and audit for adverse actions affecting complainants after a report is made.

Best Practices for Covered Entities

Design accessible intake

• Offer multiple channels and clear instructions; keep forms simple and available in common languages.
• Allow representatives to file on behalf of individuals and provide accommodations for disabilities.

Standardize triage and Complaint Resolution Timelines

• Define severity levels and set SLA targets (acknowledge in 3–5 days, resolve in 30; extend with notice).
• Use a decision matrix to identify when to involve Security, Legal, HR, or senior leadership.

Investigate with rigor and confidentiality

• Use a written investigation plan, witness lists, and evidence logs to support defensible outcomes.
• Limit access to case files on a need-to-know basis and maintain an audit trail of all actions.

Implement Corrective Action Plans

• Address root causes with policy updates, targeted training, technical safeguards, and monitoring.
• Set measurable milestones and verify effectiveness; keep CAPs open until controls operate reliably.

Coordinate with business associates

• Specify complaint notification and breach-report timelines in BAAs.
• Share only minimum necessary information for investigation and require documentation of BA remediation.

Track trends and continuously improve

• Analyze complaint types, sources, and departments to spot patterns.
• Report metrics to governance committees and use insights to refine training and safeguards.

Conclusion

By operationalizing the HIPAA Covered Entity complaint process—clear intake, disciplined investigations, timely mitigation, robust complaint documentation, and realistic complaint resolution timelines—you resolve issues faster, protect PHI, and reduce exposure to civil monetary penalties while building patient trust.

FAQs.

How do I file a HIPAA complaint?

You can submit a complaint to the covered entity’s Privacy Officer or directly to the HHS Office for Civil Rights. Provide your contact details, the entity’s name, dates, a concise description of what happened, and any supporting materials. Filing with the entity first often speeds resolution, but you may contact OCR at any time within the filing window.

What is the timeline for filing a HIPAA complaint?

In general, you have 180 days from when you knew about the issue to file with OCR. OCR may grant an extension for good cause. Covered entities should also publish internal complaint resolution timelines so complainants know when to expect updates and outcomes.

What protections exist against retaliation for filing a complaint?

HIPAA prohibits intimidation, threats, discrimination, or other retaliation for filing a complaint or participating in an investigation. A covered entity may not require you to waive your privacy rights to receive care or coverage.

What steps must covered entities take after receiving a complaint?

Acknowledge receipt, preserve evidence, and promptly investigate. Determine findings, mitigate harm, apply workforce sanctions if warranted, and document everything. If the facts suggest a breach of unsecured PHI, conduct the Breach Notification Rule risk assessment and provide required notices within regulatory timeframes.