HIPAA complaints within a HIPAA Covered Entity should be directed to the designated contact identified in the organization’s Notice of Privacy Practices for privacy complaints, which is typically the Privacy Officer or another workforce member assigned to receive and document complaints under the HIPAA Privacy Rule complaint process.
The HIPAA Privacy Rule requires covered entities to provide a process for individuals to make complaints concerning the entity’s privacy policies and procedures or its compliance with the HIPAA Privacy Rule, and to describe that process in the Notice of Privacy Practices. The Notice of Privacy Practices is the controlling internal reference for where a patient or personal representative should send a complaint, because it identifies the office, role, or department authorized to receive complaints and the method for submitting them.
Many covered entities route complaints through a Privacy Officer, a compliance department, or a dedicated privacy office mailbox or portal. Complaints involving access, amendment, accounting of disclosures, restrictions, confidential communications, or suspected impermissible uses or disclosures of protected health information are handled through the privacy complaint pathway. When a complaint alleges a workforce member used or disclosed protected health information without permission, the designated privacy complaint contact is the appropriate initial recipient even if human resources or management later conducts a parallel personnel process.
When a complaint concerns safeguards for electronic protected health information, such as access controls, user credentials, device handling, audit logs, or security incident response, the privacy complaint contact can intake the complaint and then coordinate with the Security Officer or information security function responsible for HIPAA Security Rule administration. This routing avoids fragmented reporting and preserves a single complaint record that supports documentation, mitigation, and corrective action tracking.
Covered entities should maintain internal procedures that ensure complaints are logged, acknowledged, investigated, and closed with documented findings and remediation steps when applicable. Procedures should address who may receive complaints outside the designated contact, such as front desk staff, supervisors, call centers, or patient relations, and require immediate forwarding to the designated privacy complaint contact to prevent delays and incomplete documentation.
Individuals also have the option to file a complaint with the HHS Office for Civil Rights, and covered entities should avoid statements or practices that deter external reporting. Covered entities must not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against a person for filing a complaint or participating in an investigation or compliance review, and internal complaint handling should include controls that separate complaint intake from employment actions that could be perceived as retaliation.
The Relevant HIPAA Regulations
45 CFR 164.520(b)(1)(vi) is relevant because it requires the Notice of Privacy Practices to tell individuals they can complain and to explain how to file a complaint with the covered entity. The regulation states “The notice must contain a statement that individuals may complain to the covered entity and to the Secretary if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be retaliated against for filing a complaint.” This text is relevant because it drives the internal direction of complaints by requiring the covered entity to describe its complaint submission pathway.
45 CFR 164.520(b)(1)(vii) is relevant because it requires the Notice of Privacy Practices to identify who to contact inside the covered entity for more information. The regulation states “The notice must contain the name, or title, and telephone number of a person or office to contact for further information as required by § 164.530(a)(1)(ii).” This text is relevant because the named person or office is commonly the internal recipient for privacy related questions and is often aligned with the complaint intake contact described in the notice.
45 CFR 164.530(d)(1) and 45 CFR 164.530(d)(2) are relevant because they require a covered entity to maintain an internal complaint process and to document complaints and dispositions. The regulation states “A covered entity must provide a process for individuals to make complaints concerning the covered entity’s policies and procedures required by this subpart and subpart D of this part or its compliance with such policies and procedures or the requirements of this subpart or subpart D of this part” and “a covered entity must document all complaints received, and their disposition, if any.” This text is relevant because directing complaints to a defined internal function supports intake, documentation, investigation, and closure.
45 CFR 164.530(g)(1) and 45 CFR 160.316 are relevant because they prohibit intimidation or retaliation tied to filing a complaint or participating in a compliance process. The regulation states that a covered entity “May not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any right established, or for participation in any process provided for, by this subpart or subpart D of this part, including the filing of a complaint under this section” and it further states “A covered entity or business associate may not threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action against any individual or other person for filing of a complaint under § 160.306.” This text is relevant because complaint routing and intake procedures must operate without adverse action against the complainant.