How to Respond to a Patient's HIPAA Privacy Complaint

A HIPAA complaint is rarely the first sign of a problem, but it is often the moment a problem becomes formal. A patient who feels their privacy was mishandled has two paths: come to the clinic directly, or file with the Office for Civil Rights. The two tracks can run in parallel, and a complaint that starts internally can move to OCR if the patient is not satisfied.

The good news is that the response procedure is the same shape in both cases - acknowledge, investigate, document, respond, correct - and the regulation is explicit about what is required. The clinic’s job is to have a process on file before the first complaint arrives and to follow it consistently.

Your HIPAA complaint obligations

The relevant provision is 45 CFR 164.530(d):

A covered entity must provide a process for individuals to make complaints concerning the covered entity’s policies and procedures required by this subpart and subpart D of this part or its compliance with such policies and procedures or the requirements of this subpart or subpart D of this part.

A covered entity must document all complaints received, and their disposition, if any.

Three discrete obligations come out of that text:

1. The clinic must have a complaint process.
2. The clinic must accept complaints and not discourage patients from filing.
3. The clinic must document each complaint and what happened to it.

The Notice of Privacy Practices required by 45 CFR 164.520 must inform patients of their right to complain to the clinic and to the Secretary of HHS. The notice must also identify a contact for complaints.

Anti-retaliation is reinforced at 45 CFR 164.530(g): the clinic cannot intimidate, threaten, or retaliate against anyone for filing a complaint or cooperating with an investigation.

Internal complaint process

A clean internal process has five steps:

1. Acknowledge. Confirm receipt to the patient in writing within a defined window - many clinics commit to two business days. The acknowledgment should identify the staff member handling the matter and set expectations for next steps.
2. Investigate. Gather the facts. This usually means pulling the access log for the patient’s record, interviewing the workforce members involved, reviewing the relevant policy, and identifying whether what occurred was a violation, a training gap, or a misunderstanding.
3. Document. Write down what was found. The documentation should include the complaint as received, the steps taken to investigate, what was found, and the date of each step. This is the record that supports the disposition.
4. Respond. Communicate the outcome to the patient. The response should describe what was investigated, what was found, and what actions are being taken. If the response is “no violation occurred,” it should explain why.
5. Document the resolution. Close out the file with the disposition, the corrective actions taken, the date, and the person responsible for each action.

The complaint file lives under the same six-year retention rule as the rest of the clinic’s compliance documentation under 45 CFR 164.316(b)(2)(i).

When a patient files with OCR

A patient files an OCR complaint at hhs.gov/hipaa/filing-a-complaint or by mail to the regional office. OCR triages the complaint and decides whether to open an investigation. If it does, the clinic typically learns of the matter through a letter that:

• Identifies the complaint and the alleged conduct.
• Reminds the clinic of its obligation to cooperate and not retaliate.
• Requests specific documentation, often including the risk analysis, applicable policies, training records, BAA register, the access log for the affected patient, and the complaint file if the patient also complained internally.
• Sets a response deadline, typically a few weeks.

The standard response moves are straightforward and non-negotiable:

• Cooperate. OCR investigators have authority to obtain documents and conduct interviews. Cooperation is required by 45 CFR 160.310.
• Produce the requested documentation completely and on time. Late or incomplete production hurts the clinic’s posture and can extend the investigation.
• Do not destroy any records relevant to the matter. Once a complaint is on file, all related documentation must be preserved. Destruction of records after notice is a separate violation and can elevate culpability into willful neglect territory.
• Consider counsel. Even small clinics benefit from health-care counsel for any matter that proceeds past the initial intake. Counsel should be engaged before the response is sent, not after.
• Single point of contact. Designate one person inside the clinic to communicate with OCR. Multiple voices create conflicts in the record.

A single OCR complaint can lead to a broader compliance review. If the response materials reveal gaps - no risk analysis, missing BAAs, no training records - OCR can expand the matter beyond the original complaint. This is one reason a current, well-organized documentation set matters more than any single policy.

Investigation and response steps

Whether the complaint is internal, OCR, or both, the response follows the same structure:

• Preserve. Issue a litigation-style hold internally so no relevant records are altered or deleted.
• Scope. Identify what systems, workforce members, dates, and patient records are within the scope of the investigation.
• Collect. Pull the access logs, system records, communications, and policy documents that bear on the question.
• Analyze. Determine what occurred against the requirements of HIPAA and the clinic’s own policies. Identify whether the conduct was a violation, a training gap, a process gap, or compliant.
• Decide. Reach a finding. If a violation occurred, identify the responsible parties, the contributing factors, and the corrective actions needed.
• Communicate. Respond to the patient and, where applicable, to OCR.

Throughout, every action is timestamped and recorded.

Corrective action

If the complaint reveals an actual violation, the clinic’s sanction policy applies. 45 CFR 164.530(e) requires:

A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart or subpart D of this part.

The sanction policy itself is one of the required policy documents in the clinic’s compliance set. Applying it consistently - and documenting the application - is what prevents a “policy on paper” finding by OCR.

Beyond individual sanctions, corrective action typically includes some combination of:

• Updated or new policies and procedures.
• Targeted retraining for affected workforce members or for the whole staff.
• Technical changes (access controls, audit logging, configuration).
• Vendor changes or new BAA terms.
• Updates to the clinic’s risk analysis and risk management plan.

Each corrective action goes into the documentation set with an owner, a target date, and a completion record.

Documentation

The complete complaint record contains, at minimum:

• The complaint as received, with date and intake channel.
• Acknowledgment to the patient.
• Investigation steps taken, including who, what, and when.
• Findings.
• Sanctions applied, if any.
• Corrective actions, with completion records.
• Response to the patient.
• If OCR involved, all correspondence and the final OCR letter.
• The disposition and the closing date.

Retain for six years from creation or from the last effective date of any related policy change, whichever is later, under 45 CFR 164.316(b)(2)(i).

Frequently asked questions

For more on the documentation infrastructure that supports a strong complaint response, see HIPAA Documentation Requirements for Small Medical Clinics. The full series is collected at the HIPAA basics hub.

PHIGuard captures complaints, investigation steps, sanctions, and corrective actions as a single timestamped record retained automatically for six years - exactly the file OCR asks for. Current plan and BAA details are published on the pricing page. Learn more at PHIGuard HIPAA.