How to Respond to a HIPAA Complaint: Privacy Officer's Step-by-Step Guide

Practical guidance for healthcare teams and business associates
OneGuyConsulting
HIPAA Compliance Consultant | Certified HIPAA Professional (CHP)
16 min read

How to Respond to a HIPAA Complaint: Privacy Officer's Step-by-Step Guide

If a complaint has already been filed — whether by a patient directly to your office or through the HHS Office for Civil Rights — the first thing to understand is this: most HIPAA complaints do not result in fines. OCR resolves the majority of complaints through what it calls "technical assistance," which is essentially a structured conversation about what happened and how you are addressing it. That does not mean the situation is trivial. It means that how you respond in the next few days and weeks will largely determine the outcome. This guide walks Privacy Officers through each stage of the complaint response process — from the moment you first learn of the complaint through an OCR investigation, if it gets that far.

How to Respond to a HIPAA Complaint: What Privacy Officers Need to Do Right Now

There are two distinct scenarios you may be managing: an internal complaint filed by a patient or workforce member directly to your organization, and an external complaint filed with OCR. Both require structured, documented responses — but the stakes and timelines differ. This guide covers both, starting with the internal process, because how you handle an internal complaint often determines whether it escalates to OCR at all.

Step 1: Stay Calm — Understand What You Are Actually Dealing With

Before responding to anything, you need to know what kind of complaint you have received and what the likely trajectory is.

OCR receives several thousand complaints per year. In its most recently published enforcement data, OCR resolved the vast majority of complaints through technical assistance or early case resolution — not through formal investigations or civil monetary penalties. Formal investigations represent a fraction of total complaints, and civil monetary penalties are rarer still. This context matters because it shapes your response posture. You are not automatically facing a fine. You are facing a process, and the process rewards organizations that respond promptly, cooperate openly, and demonstrate that they take compliance seriously.

The most common complaint categories OCR receives include:

  • Right of access failures — patients denied timely access to their medical records (45 CFR 164.524). This is OCR's most-investigated complaint type by a significant margin.
  • Impermissible uses and disclosures — PHI shared without proper authorization or outside of a permitted purpose
  • Inadequate safeguards — insufficient physical, administrative, or technical controls protecting PHI
  • Lack of notice of privacy practices — failure to provide or post an adequate NPP
  • Retaliation against individuals for exercising their rights — a standalone violation under 45 CFR 164.530(g)

Knowing which category you are in helps you scope the investigation and assemble the right documentation quickly.

Step 2: Document Everything from the Moment You Learn of the Complaint

The single most important thing you can do in the first 24 hours is start a complaint log and keep it current. Document:

  • The date and time you received notice of the complaint
  • The source (patient, workforce member, OCR letter, phone call)
  • The nature of the alleged violation, in the complainant's own words where possible
  • The names of staff members involved or identified in the complaint
  • Any related records, communications, or system logs you are aware of at this stage
  • Every action your organization takes in response, with dates and the names of staff involved

This log becomes your compliance record. If OCR opens an investigation, this documentation demonstrates that your organization responded in good faith and in a timely manner. Organizations that can produce a clear, contemporaneous response record are in a much stronger position than those reconstructing a timeline from memory six months later.

Designate a single point of contact for the complaint — typically the Privacy Officer — and route all communications through that person. This prevents inconsistent statements and ensures nothing gets lost across departments.

Step 3: Conduct an Internal Investigation Before Responding to Anyone

Do not respond to the complainant or to OCR before you understand what actually happened. Rushing to respond before you have the facts creates risk — you may contradict yourself later, or acknowledge something inaccurate that complicates your position.

A practical internal investigation includes:

Gather the relevant records. Pull the patient's access log, any correspondence related to the complaint, system audit logs, and training records for the involved staff. If the complaint involves a records request, document when the request was received, when it was fulfilled, and what format the records were provided in.

Interview involved staff members. Do this promptly, while memories are fresh. Use open-ended questions. Document the conversations. Make clear to staff that the purpose is fact-finding, not discipline — at this stage.

Review your policies and procedures. Was there a written policy governing the situation? Was staff trained on it? Was the policy followed, or was the policy itself the problem?

Determine the scope of any disclosure. If PHI was impermissibly disclosed, you need to know: what information was involved, how many individuals were affected, and whether the disclosure may trigger your HIPAA Breach Notification Rule obligations.

Assess what went wrong and why. Was this a systemic failure or an isolated incident? Was it a training gap, a process gap, or a technology gap? This assessment shapes both your response and your remediation plan.

In many cases, the internal investigation reveals that what happened was not technically a HIPAA violation — or that the scope was narrower than the complaint suggested. In other cases, it reveals a genuine gap that needs to be corrected regardless of what OCR does. Either way, you need the facts before you respond.

Step 4: Respond to the Patient or Complainant Appropriately

If the complaint came directly to your organization — not through OCR — you have an opportunity to resolve it at this level without regulatory involvement. Most patients who file complaints want one of three things: an acknowledgment that something went wrong, a correction of the underlying problem, or access to records they were denied. In many cases, providing what the patient actually needs is both the right thing to do and the most effective de-escalation strategy.

A few guidelines for responding to the complainant directly:

  • Respond in writing, and retain a copy of your response
  • Acknowledge that the organization received the complaint and took it seriously
  • Do not admit to a HIPAA violation unless your legal counsel has reviewed the situation — phrases like "we regret any inconvenience" are very different from "we violated your HIPAA rights"
  • If the complaint involves a records access request, fulfill it promptly under 45 CFR 164.524 — patients generally must receive their records within 30 days, with one 30-day extension available
  • Describe any corrective action you are taking without making commitments you cannot keep

Note that patients may simultaneously file a complaint with OCR even after receiving a response from your organization. OCR has the authority to investigate complaints regardless of whether the organization has already responded to the individual. Resolving the complaint with the patient does not automatically close an OCR complaint — but it is still the right move, and OCR will note that the organization engaged in good-faith resolution.

Critical: Anti-Retaliation. Under 45 CFR 164.530(g), covered entities are prohibited from retaliating against any individual who files a complaint with HHS, participates in an investigation, or exercises any right under the Privacy Rule. This prohibition is absolute. Terminating, disciplining, intimidating, threatening, or otherwise acting against a patient or workforce member because they filed a complaint is itself a HIPAA violation — and one OCR takes seriously. Make sure every manager and supervisor involved in the situation understands this clearly.

Step 5: If OCR Contacts You — What to Expect and How to Respond

When OCR receives a complaint, it first screens it for jurisdictional eligibility. Not all complaints make it past the screening stage. OCR will not investigate complaints filed more than 180 days after the alleged violation (unless waived for good cause), complaints against entities that are not HIPAA covered entities or business associates, or complaints that are clearly not HIPAA-related.

If the complaint survives screening, OCR may:

  • Contact your organization by letter or phone to inform you of the complaint and request an initial response
  • Request specific documentation — policies, training records, audit logs, correspondence
  • Ask for a written description of your compliance program and how the situation was handled
  • Schedule an on-site review in more complex cases

When OCR sends an initial inquiry letter, you will typically have 30 days to respond in writing. This is not optional and not a deadline to miss. Your response should:

  • Address each question OCR asked, specifically and completely
  • Provide copies of the requested documentation (not originals)
  • Describe the facts of the situation as your investigation determined them
  • Describe any corrective actions you have taken or are in the process of taking
  • Be written in a professional, cooperative tone — OCR investigators respond better to organizations that engage constructively

A practical approach is to have legal counsel review your OCR response before submission, particularly if the situation involves a potential breach, a pattern of similar complaints, or significant PHI exposure. This content is for educational and informational purposes only and should not be construed as legal advice.

The OCR Investigation Process: What Actually Happens

If OCR proceeds past the initial inquiry, the investigation typically follows a predictable pattern. Understanding the stages helps you prepare documentation in advance rather than scrambling under deadline pressure.

Data request. OCR will ask for specific records. Common requests include your Notice of Privacy Practices, workforce training records, relevant policies and procedures, the risk analysis and risk management plan, documentation of workforce sanctions for prior violations, and any audit logs related to the complaint. Organizations that maintain well-organized compliance documentation can respond to these requests efficiently. Organizations that have never conducted a formal risk assessment or cannot produce training records are immediately at a disadvantage.

Interviews and on-site reviews. In more complex investigations, OCR investigators may request to speak with the Privacy Officer and other involved staff, or conduct an on-site visit to review your facility and operations. On-site reviews are more common in larger investigations or where OCR has reason to believe systemic violations are present.

Resolution options. OCR investigations resolve in one of several ways:

  • Technical assistance — OCR finds no violation or the issue was corrected informally. This is the most common outcome.
  • Voluntary compliance — OCR identifies a compliance gap and the organization corrects it without formal action
  • Resolution agreement — OCR and the organization reach a negotiated agreement that includes specific corrective actions and, often, a monetary settlement. The organization is monitored for a period following the agreement.
  • Corrective action plan (CAP) — Similar to a resolution agreement but focused on systemic remediation. Often includes mandatory reporting to OCR over a defined period.
  • Civil monetary penalties (CMPs) — Formal financial penalties imposed after OCR determines violations and the organization does not reach a resolution agreement. CMPs are relatively rare and typically occur in cases involving egregious violations, large-scale breaches, or repeated failures to comply.

The most significant enforcement actions — those resulting in million-dollar penalties — have consistently involved organizations that failed to conduct a risk analysis, failed to implement basic access controls, or had a demonstrated pattern of ignoring compliance requirements. A single complaint that is investigated and resolved cooperatively very rarely reaches CMP territory.

Your Documentation Is Your Defense

Throughout an OCR investigation, the organization's documented compliance program is its strongest asset. Specifically, OCR looks for evidence of:

  • A completed and current risk analysis (45 CFR 164.308(a)(1)) — this is the single most commonly cited deficiency in enforcement actions
  • A risk management plan that addresses identified risks
  • Written policies and procedures that cover the area at issue in the complaint
  • Workforce training records showing that relevant staff were trained on the applicable policies
  • A sanction policy for workforce members who violate HIPAA
  • A process for accepting, evaluating, and resolving privacy complaints internally (45 CFR 164.530(d))
  • Documentation of any prior complaints and how they were resolved

Organizations that can produce this documentation quickly signal to OCR that compliance is taken seriously and that the complaint may represent an isolated incident rather than a systemic failure. Organizations that cannot produce basic documentation — particularly a risk analysis — will face significantly more scrutiny, regardless of what the original complaint was about.

If you identify gaps during the investigation process, address them immediately and document that you did. Demonstrating active remediation during an OCR investigation is viewed positively. OCR's goal, as stated in its published enforcement guidance, is to achieve voluntary compliance — not to maximize penalties. Showing that you are fixing the problem is exactly what OCR wants to see.

For organizations that have not yet conducted a formal risk assessment, see our guide on how to conduct a HIPAA risk assessment — getting one in place before or during an investigation significantly improves your position.

Right of Access Complaints: A Special Note

Because right of access violations are OCR's single most investigated complaint category, they deserve specific attention. Under 45 CFR 164.524, patients have the right to inspect and receive a copy of their PHI within 30 days of a request (with one 30-day extension if written notice is provided). Organizations may charge a reasonable cost-based fee, but they cannot require patients to pick up records in person, refuse electronic delivery to patients who request it, or delay fulfillment unreasonably.

OCR's Right of Access Initiative, launched in 2019, has resulted in dozens of enforcement actions against organizations of all sizes — including small practices — for relatively straightforward violations like taking 90 days to fulfill a records request, charging excessive fees, or requiring notarization as a precondition. Penalties in these cases have ranged from a few thousand dollars to over $200,000.

If your complaint involves a records access request, fulfill it immediately — even if the complaint is already filed. Provide the records as quickly as possible, document that you did, and note the timeline in your response to OCR. Demonstrating that the issue was resolved promptly after you became aware of it is important.

Enforcement Examples Worth Knowing

A few published enforcement cases illustrate how OCR approaches complaints and what organizations can learn from them:

In 2022, OCR settled with a dental practice in Texas that had failed to provide a patient with access to her records for over a year. The settlement included a $30,000 penalty and a two-year corrective action plan — for a small practice, based on a single complaint. The core issue was not a complex technical violation. It was a straightforward failure to fulfill a records request in a timely manner.

In a 2019 case involving a large hospital system, OCR investigated following multiple breach notifications and identified systemic failures in the risk analysis program. The resolution agreement exceeded $3 million. The scope of that investigation expanded well beyond the original complaints because OCR found evidence of organization-wide compliance failures.

The pattern in high-penalty cases is consistent: penalties escalate when OCR finds that the organization lacked fundamental compliance infrastructure, not merely that a single incident occurred. A complaint is a bounded problem. A compliance program failure is a systemic one — and OCR responds accordingly.

FAQs

How long does OCR have to investigate a HIPAA complaint?

There is no statutory deadline by which OCR must complete an investigation. Investigations can take months or, in complex cases, years. The 180-day deadline applies to the complainant — individuals must file with OCR within 180 days of discovering the alleged violation, unless OCR grants a waiver for good cause. Once a complaint is filed, OCR proceeds on its own timeline.

Can a patient file a HIPAA complaint directly with OCR after complaining to the organization?

Yes. Patients may file with OCR at any time within the 180-day window, regardless of whether they also complained directly to your organization. A patient who received a satisfactory response from your organization may still file with OCR, and OCR has the authority to investigate. Resolving the complaint with the patient is the right thing to do — but it does not foreclose an OCR complaint.

What is the first thing a Privacy Officer should do when a complaint is received?

Open a complaint log and document everything you know immediately. Before responding to anyone — the complainant, OCR, or your own staff outside the investigation team — gather the facts through an internal investigation. Responding before you understand what happened creates more risk than taking a few days to investigate thoroughly.

Does having a compliance program in place actually affect the outcome of an OCR investigation?

Yes, significantly. OCR explicitly considers the organization's compliance history, the presence of a documented compliance program, and the corrective actions taken in response to a complaint when determining how to resolve an investigation. Organizations with a current risk analysis, written policies, and workforce training records consistently fare better in OCR investigations than those without. The documentation does not guarantee a favorable outcome, but its absence almost always makes the outcome worse.

What should we do if we realize we have a reportable breach during the complaint investigation?

Report it. The Breach Notification Rule (45 CFR 164.400–414) requires covered entities to notify affected individuals within 60 days of discovering a breach, notify HHS, and — if the breach affects 500 or more individuals in a single state — notify prominent media outlets. Discovering a breach during a complaint investigation does not suspend these timelines. Attempting to conceal a reportable breach would be a far more serious problem than the original complaint. For a detailed breakdown of breach response obligations, see our guide on HIPAA Breach Notification Rule compliance.

Can OCR investigate issues beyond the scope of the original complaint?

Yes. Once OCR opens an investigation, it may expand the scope if it finds evidence of additional violations or systemic compliance failures. This is one reason why having a complete and organized compliance program matters so much — an investigation triggered by a single access complaint can expand significantly if OCR finds that the organization has no risk analysis, no training records, or a pattern of unremediated violations.

What does a corrective action plan require?

Corrective action plans (CAPs) vary based on the violations identified, but typically require the organization to implement specific policies or technical controls, provide workforce training, conduct periodic risk analyses, and submit compliance reports to OCR over a defined monitoring period — often one to three years. CAPs are negotiated and are generally less financially severe than civil monetary penalties, but they create ongoing reporting obligations and require sustained compliance attention. For organizations facing a CAP, the compliance infrastructure required is essentially what a complete HIPAA program should already include.

Conclusion

Receiving a HIPAA complaint — whether directly from a patient or through OCR — is manageable when you respond with a structured, documented process. The organizations that end up in OCR's published enforcement actions are almost never there because of a single mistake. They are there because they lacked the documentation, the policies, or the internal processes to demonstrate that they take HIPAA seriously. The best time to build that infrastructure is before a complaint arrives. The second best time is right now. One Guy Consulting helps healthcare organizations build practical HIPAA compliance programs — from risk assessments to policies and procedures to workforce training — that hold up when it matters most. Book a demo today to see how we support Privacy Officers at every stage of compliance.

Sources

Related Reading:

Related Reading

More archive content for healthcare teams working through HIPAA operations, policy, and risk.

All Articles