After a HIPAA complaint is filed, the receiving office records the complaint, evaluates whether the allegations fall under the HIPAA Privacy Rule, HIPAA Security Rule, or HIPAA Breach Notification Rule, determines whether it has jurisdiction and sufficient information to proceed, and then either conducts an internal investigation and corrective action process within the covered entity or initiates a federal review process through the HHS Office for Civil Rights that can lead to corrective action requirements, settlement terms, or civil monetary penalties.
When a complaint is submitted to a covered entity, the complaint is routed to the function responsible for HIPAA Privacy Rule administration, which is commonly the Privacy Officer or a designated privacy office. The covered entity documents the complaint and reviews the facts that are available, including the date of the alleged event, the affected patient, the workforce members involved, and the protected health information at issue. Intake procedures typically include confirming the complainant’s identity and relationship to the patient when the complainant is a personal representative, and collecting records such as access logs, disclosure records, message histories, call recordings, registration notes, or audit trail data.
The internal review focuses on whether the covered entity’s policies and procedures were followed and whether a use or disclosure was permitted, required, or impermissible under the HIPAA Privacy Rule. When the allegation involves electronic protected health information, the review also addresses safeguards required by the HIPAA Security Rule, including access control configuration, user provisioning, device handling, and security incident procedures. If the facts indicate an impermissible use or disclosure, the covered entity evaluates whether the event meets the definition of a breach and whether notification obligations apply under the HIPAA Breach Notification Rule.
Corrective actions commonly include workforce retraining, role based access adjustments, technical configuration changes, revisions to procedures, and sanction action consistent with the covered entity’s sanction policy. The covered entity documents findings, actions taken, and closure determinations. The covered entity must avoid intimidation or retaliation against the complainant and should separate complaint handling from employment actions in a way that prevents interference with the complaint process.
When a complaint is submitted to the HHS Office for Civil Rights, the agency reviews whether the complaint is timely, whether the allegations involve a covered entity or business associate, and whether the issues fall within HIPAA enforcement authority. The HHS Office for Civil Rights may request additional information, open an investigation, or resolve the matter through technical assistance. When an investigation proceeds, the HHS Office for Civil Rights may request policies, training records, risk analysis documentation, breach risk assessments, audit logs, Business Associate Agreements, and evidence of mitigation and remediation.
Resolution outcomes can include voluntary corrective action, a corrective action plan with reporting and monitoring obligations, a resolution agreement with a monetary settlement, or a civil monetary penalty. Matters involving suspected criminal conduct may be referred to the U.S. Department of Justice under applicable federal authorities.
The Relevant HIPAA Regulations
45 CFR 164.530(d) is relevant because it requires a covered entity to have an internal complaint process and to document complaints and outcomes. The regulation states “A covered entity must provide a process for individuals to make complaints concerning the covered entity’s policies and procedures required by this subpart and subpart D of this part or its compliance with such policies and procedures or the requirements of this subpart or subpart D of this part” and “a covered entity must document all complaints received, and their disposition, if any.” This text is relevant because it defines the covered entity’s required intake and recordkeeping steps after a complaint is received.
45 CFR 160.306(c) is relevant because it sets the federal complaint investigation trigger and describes what an investigation can include. The regulation states “The Secretary will investigate any complaint filed under this section when a preliminary review of the facts indicates a possible violation due to willful neglect” and “The Secretary may investigate any other complaint filed under this section” and “An investigation under this section may include a review of the pertinent policies, procedures, or practices of the covered entity or business associate and of the circumstances regarding any alleged violation.” This text is relevant because it establishes how a filed complaint can move into an investigation and what the investigation may examine.
45 CFR 160.310(b) is relevant because it requires covered entities and business associates to cooperate with the Secretary during complaint investigations and compliance reviews. The regulation states “A covered entity or business associate must cooperate with the Secretary, if the Secretary undertakes an investigation or compliance review of the policies, procedures, or practices of the covered entity or business associate to determine whether it is complying with the applicable administrative simplification provisions.” This text is relevant because it supports the post-filing process steps that involve document production, interviews, and other cooperation obligations.
45 CFR 160.312(a) and 45 CFR 160.312(b) are relevant because they describe outcomes after an investigation or compliance review. The regulation states “If an investigation of a complaint pursuant to § 160.306 or a compliance review pursuant to § 160.308 indicates noncompliance, the Secretary may attempt to reach a resolution of the matter satisfactory to the Secretary by informal means” and “If, after an investigation pursuant to § 160.306 or a compliance review pursuant to § 160.308, the Secretary determines that further action is not warranted, the Secretary will so inform the covered entity or business associate and, if the matter arose from a complaint, the complainant, in writing.” This text is relevant because it defines how a complaint can end through informal resolution measures or closure with written notice.