Who Handles HIPAA Complaints? A Practical Guide for Covered Entities

Designating a Privacy Officer or CISO

You need clear ownership for HIPAA complaints from day one. Under the HIPAA Privacy Rule, designate a Privacy Officer to oversee complaints about uses and disclosures, notices, and patient rights. For security incidents, designate a Security Official—often your CISO—to direct safeguards, incident response, and risk management under the HIPAA Security Rule.

Give these leaders authority and resources to act. Publish their contact details in your Notice of Privacy Practices and on internal channels so employees and patients know where to report concerns. In smaller organizations, one qualified leader may serve both roles, but responsibilities must remain distinct and well-documented.

Core responsibilities

• Receive, log, and triage all complaints and security incident reports.
• Coordinate investigations across privacy, security, compliance, legal, and IT.
• Guide risk assessments and remediation aligned to the HIPAA Privacy Rule and HIPAA Security Rule.
• Serve as the point of contact during the OCR complaint process and any HIPAA enforcement actions.

Establishing Internal Complaint Procedures

Develop a written procedure that is easy to find, simple to use, and consistently followed. Make reporting available via email, hotline, secure web form, and in person. State your non-retaliation policy and allow anonymous reports when feasible to encourage early escalation.

Intake and triage

• Capture who, what, when, where, and how PHI may have been involved.
• Classify the issue: privacy, security, breach, or administrative simplification (transactions/standards).
• Assign severity and response timelines, and acknowledge receipt to the reporter.

Process controls

• Maintain a centralized complaint log with unique IDs and status tracking.
• Document decisions, mitigation steps, and corrective action plans.
• Train workforce members on how to recognize and report HIPAA concerns.
• Retain all complaint-related documentation for at least six years.

Filing Complaints with HHS OCR

The Office for Civil Rights (OCR) handles complaints about the HIPAA Privacy Rule, the HIPAA Security Rule, and the Breach Notification Rule. Individuals, workforce members, business associates, and covered entities can submit complaints through the OCR complaint process.

When to involve OCR

• Serious or systemic violations, suspected willful neglect, or unresolved issues after internal efforts.
• Incidents affecting many individuals or involving sensitive PHI (for example, behavioral health).

What to prepare

• A clear narrative with dates, entities involved, and specific HIPAA provisions potentially violated.
• Supporting evidence: policies, screenshots, logs, notices, letters, and witness statements.
• Timeline of your internal investigation, remediation, and any notifications made.

OCR outcomes range from technical assistance and voluntary compliance to resolution agreements with corrective action plans and, in some cases, civil money penalties. Your cooperation, documentation quality, and demonstrated remediation materially influence outcomes.

CMS Enforcement of Administrative Simplification

Complaints about HIPAA Administrative Simplification—standard electronic transactions (e.g., X12 270/271, 837, 835), code sets, operating rules, EFT/ERA, and identifiers like NPI—are handled by the Centers for Medicare & Medicaid Services (CMS), specifically the CMS National Standards Group.

When to route to CMS

• Refusal to conduct standard transactions or improper code set/operating rule use.
• Barriers to electronic exchange (e.g., noncompliant claim or remittance formats).

CMS may request documentation, conduct compliance reviews, and coordinate with OCR if a complaint spans both standards and privacy/security. Resolutions can include education, corrective action, and monitoring to restore compliant transactions.

Investigating HIPAA Privacy and Security Violations

Move quickly to contain risk, preserve evidence, and determine scope. For privacy issues, confirm whether an impermissible use or disclosure occurred and assess the minimum necessary. For security incidents, activate your incident response plan and perform a risk analysis aligned with the HIPAA Security Rule.

Structured investigation steps

• Containment: revoke access, secure devices, isolate affected systems.
• Fact-finding: collect logs, emails, system records, and conduct interviews.
• Risk assessment: evaluate the nature and extent of PHI, the unauthorized recipient, whether PHI was actually viewed/acquired, and mitigation effectiveness.
• Determination: decide if a breach occurred and whether notifications are required.
• Remediation: implement corrective action plans, update safeguards, and retrain staff.

If a breach is confirmed, issue required notifications without unreasonable delay and within applicable HIPAA timelines. Keep a thorough record of your analysis, decisions, and actions.

Documenting and Resolving Complaints

Documentation is your proof of compliance and good faith. Maintain a complete record from initial report to closure, including decision rationales and evidence. Provide closure communications to reporters when appropriate.

What to document

• Complaint intake details, risk ratings, and routing.
• Investigation notes, evidence collected, and interviews conducted.
• Findings, mitigation steps, corrective action plans, and validation of effectiveness.
• Notifications sent, sanctions applied when warranted, and follow-up monitoring.

Use trends from your complaint log to strengthen safeguards and training. Demonstrated improvement can reduce enforcement risk and support favorable consideration in any HIPAA enforcement actions.

Understanding OCR and CMS Complaint Criteria

OCR generally accepts complaints that allege violations by a covered entity or business associate involving the HIPAA Privacy Rule, HIPAA Security Rule, or breach obligations, filed within applicable timeframes. Priority factors include scale, sensitivity of PHI, patient harm, and evidence of willful neglect.

CMS focuses on whether a covered entity or business associate failed to follow Administrative Simplification standards—transactions, code sets, operating rules, identifiers, or EFT/ERA. Complaints outside HIPAA’s scope may be redirected to other regulators or resolved through education.

Conclusion

Designate accountable leaders, build a reliable intake and investigation process, and document every step. Know when to engage OCR for privacy/security issues and CMS National Standards Group for standards complaints. Strong remediation and corrective action plans reduce risk and help you resolve HIPAA complaints effectively, minimizing the likelihood of civil money penalties.

FAQs.

Who should employees contact to report a HIPAA complaint within a covered entity?

Employees should report concerns to the designated Privacy Officer for privacy/breach issues or the Security Official/CISO for security incidents. If you’re unsure, use your organization’s standard complaint channel; the compliance team will route it appropriately and track it to closure.

How does the OCR investigate HIPAA complaints?

OCR conducts an intake review, requests information and records, interviews relevant personnel, and may perform onsite or remote assessments. Outcomes can include technical assistance, voluntary compliance, or resolution agreements requiring corrective action plans—and, in serious cases, civil money penalties.

What types of HIPAA complaints does CMS handle?

CMS handles Administrative Simplification matters, such as noncompliant electronic transactions, code sets, operating rules, identifiers (like NPI), and EFT/ERA issues. These are managed by the CMS National Standards Group, not by OCR.

What documentation is required during the HIPAA complaint process?

Keep the complaint intake, investigation notes, evidence (logs, emails, screenshots), risk assessments, policies and procedures, training and sanction records, mitigation steps, notifications, and the final resolution. Maintain these records for at least six years to demonstrate compliance and remediation effectiveness.